Two-way forest trust logons
Posted on 2007-03-23
I have two Windows2003 servers running ActiveDirectory, that for historical reasons, each have their own Forest. TeacherDomain (the forest root on one server) currently owns all of the network printers and is configured as a MediaServer. StudentDomain is a forest root on the other server. We want to have certain groups of students be able to access certain network printers and also use the media streaming capability of the TeacherDomain. Also, we want teachers to be able to access the NAS device that students currently use on the StudentDomain for their student portfolios. From the Microsoft documentation, it appears that setting up a two-way ForestTrust gives me the capabilities that I need. However, on the student laptops that are connected to the StudentDomain, the administration does not want the DomainList on the logon screen to include domains that are on the TeacherDomain. That is, they want to keep the separation that students logon to student machines and teachers logon to teacher machines. I don't know how the Domain List on the logon page is generated. If I create a two-way ForestTrust, will student machines now be able to logon to the TeacherDomain? I think they are concerned about a student selecting the TeacherDomain, typing in a teacher's logon name and trying to break the password and getting access to gradebooks.