Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


How cross-forest AD authentication works for a roaming user?

Posted on 2007-07-24
Medium Priority
Last Modified: 2008-05-31
Windows Server 2003 & Windows XP question:
If you have two AD forests: Forest A and Forest B, each with 1 domain.  There is a two-way trust between the Forests.
If a user with an account in Forest B sits down at a PC based in Forest A and logs on does the Kerberos authentication communication for that user account pass between the workstation and Forest B's domain controllers, or between Forest A's DCs and Forest B's DCs??

I'm trying to find out if I can prevent communication between workstations from one Forest and DCs in the other Forest.
Question by:greenonred
  • 3
  • 2
LVL 13

Expert Comment

ID: 19557133
If your goal is to prevent this from happening... then why is the trust in place? Either you trust or you don't.
LVL 30

Expert Comment

ID: 19557633
Auth traffic will go from the workstation to the root domain in the workstation's "home forest", then from the workstation to the root domain in the "remote forest", and so on down to the remote domain in question if it is a child domain.

You can use Selective Authentication to control which machines in Forest A can be accessed by workstations in forest B and vice versa, for example to control access to a file server or application server, but you're not going to be able to stop communication between workstations and DCs or the entire trust process will fall down.

Author Comment

ID: 19564323
Thank you Laura.  Is there a way of making the Auth traffic be handled by just the workstation forest's DC rather than the workstation itself having to pass it over to the other forest's DC ?
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

LVL 30

Expert Comment

ID: 19564376
Nope.  If I want to authenticate to Forest B, that request must be handled by a DC in Forest B, regardless of which workstation I'm logging in from.

Author Comment

ID: 19564568
Sorry - I didn't explain myself very well.  I meant to ask - does the request to the DC in Forest B have to come from the workstation, or can it come from the Workstation's DC (in Forest A)?
LVL 30

Accepted Solution

LauraEHunterMVP earned 2000 total points
ID: 19564586
It comes from the workstation, this can't be altered.

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
I’m willing to make a bet that your organization stores sensitive data in your Windows File Servers; files and folders that you really don’t want making it into the wrong hands.
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question