Can servers in a SharePoint farm be members of different domains?

Question

Here is the scenario:

• Two domains: DOMAINA and DOMAINB in different forests (Windows Server 2008 R2 Domain Functional Level)
• DOMAINA is in a DMZ network (firewalls are configured to permit all normal SharePoint and AD traffic)
• DOMAINA trusts DOMAINB (one-way forest trust)
• Four servers running SharePoint Server 2010:
  • Two WFE servers (members of DOMAINA)
  • Two Application servers (members of DOMAINB)
  • One SQL Server (member of DOMAINB)
• All service acconts and user accounts are in DOMAINB

My concern is due to the one-way trust, connections from the WFE to Application/SQL Servers will fail as the DOMAINB servers will not trust the DOMAINA servers (even though the users are in DOMAINB)

Is this configuration possible? Is there documentation that details the domain membership of SharePoint servers?

Answer 1

Did some googling and this will work, there's even a blog post describing your problem step by step:

Here's how I see it: his should work, because in the end it all comes down to service identities.

As long as all service accounts used to run services on each server in the farm are from the domain trusted (DOMAINB) by the DMZ domain it should work. Seeing as servers only talk to each other using services, as long as these services run under accounts from the same domain (DOMAINB, because DOMAINA can authenticate user from that domain and not the other way around), all access to services running on another machines will be done using credentials that can be authenticated either internally (DOMAINB -> DOMAINB) or over the 1-way domain trust (DOMAINA -> DOMAINB).

My advice: try it, no harm, no foul, right> Just experiment first with 1 WFE and 1 APP server. Installing a server scripted is dead easy using AutoSPInstaller. If it doesn't work, use TMG as a proxy to "publish" your site from the internal network in the DMZ.