I have a normal domain user account called john1 in domain A.
Recently, our company merged with another company (domain B) and we set up a interforest trust between the 2x forest using selective authentication instead of forest-wide authentication.
At the same time, I was issued a domain user account john2 in domain B.
On a domain-joined machine in domain A, I logged on as john1 (my domain A account) and was able to run Get-ADUser
against domain A users successfully.
On a domain-joined machine in domain B, I logged on as john2 (my domain B account) and was able to run Get-ADUser
against domain B users successfully.
However, on a domain-joined machine in domain A, I opened up Powershell ISE (not Run as) and tried to run Get-ADUser
command against domain B users but failed. Here is what I tried:
get-aduser -Server domainB-DC.company.com -Identity alex.hall -Credential "domainB\john2"
get-aduser : Unable to contact the server. This may be because this server does not exist, it is currently down, or it does not have the Active Directory Web Services running.
At line:1 char:1
+ get-aduser -Server domainB-DC.company.com -Identity alex.hall -Credent ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (alex.hall:ADUser) [Get-ADUser], ADServerDownException
+ FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.GetADUser
The same error message happened when on a domain-joined machine in domain A, I ran Run-As Powershell ISE using "domainB\john2" and issued get-aduser -Server domainB-DC.company.com -Identity alex.hall
I confirm that domainB-DC.company.com is up and running and ADWS is running as well.
On the other hand, I was able to, on domain-joined machine in doman A, run ADUC (Active Directory Users and Computers) to view domain B Active Directory by means of command-prompt with the following command: C:\WINDOWS\system32\runas.exe /u:domainB\john2 /netonly "mmc %windir%\system32\dsa.msc /domain="domainB"
I asked the firewall guy to trace if there is any traffic from my domain-joined domain A machine to domainB-DC.company.com when running the Get-ADUser
cmdlet and surprisingly he said he saw no traffic.
Does anyone encounter such problems?
I believe that is the expected behavior. You created a forest trust with selective authentication, but did not state that you have assigned the "allowed to authenticate" permission to the resources you are attempting to access (the domain controllers in this case).
https://social.technet.microsoft.com/Forums/Lync/en-US/bb115fc6-b86e-4627-8d97-82250ae5d85c/forest-trust-selective-authentication-need-access-to-dns
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc772808(v=ws.10)
http://anexinetisg.blogspot.com/2014/09/forest-trust-issue-with-selective.html
This suggest that it might be DNS related. Are you able to to resolve "domainB-DC.company.com" and ping it? If not, I would verify that the forward lookup zone or conditional forwarders are working properly.