I have two Active Directory domains, A and B.
I have a Windows Server ws1 and a windows server ws2, both of which act as domain controllers of their respective domains (A and B).
I have a third Windows server ws3 on which a Powershell script must be run periodically to perform reading operations on domain controller ws1 of A, processing the data obtained from ws1 of A, to perform writing operations on ws2 of B.
NB: Domain A and domain B do not have any type of Trust (not even one-way). They are two domains kept specially segregated. The ws3 machine has visibility towards these machines but it is not part of neither domain A nor domain B.
Is there an easy way to do it?
Depends on what you want to read -- file system or directory data.
File system:
You can map a drive with "net use", process the data in the directory, then unmap the drive. You can supply a domain in the credentials -- e.g. net use x: \\ws1\share user:DomainA\user /pass:S0m3th1ng
and, when done, net use x: /d
to unmap. Then net use x: \\ws2\share user:DomainB\user /pass:S0m3th1ngE15e
and net use x: /d
... I'd use a securestring to stash the password for a real implementation.
Directory Data: Most of the powrshell commands accept -server and -credential as options. As an example:
Get-ADGroupMember <groupname> -server ws1.example.com -credential (get-credential)
Thank you very much for your answer. So theoretically I just need to know the IPs of both Domain Controllers to which I want to connect, and in each of them I need to have a user who has read permissions for the DC I want to read from and write permissions for the DC I want to write to, than I can use the active directory module. Correct?
Yup. I've had batch operation servers have to be out of the domain completely (I don't have to understand the security requirements, just have to follow them!) and used this approach to read/write against the Active Directory domain. I usually do a DNS lookup for the SRV records associated with a specific site instead of hard-coding domain controller hostnames (unless there are firewalls involved and I have to use a specific domain controller).
Perfect, that's just what I needed to know. I appreciate the advice on using SRV records (I immediately check if the domain controllers have generated them correctly), so as not to use constants in the code. So I guess the last thing I have left to do is create two users, one in the DC I have to read about and one on the DC I have to write to, with the necessary permissions. Thanks