Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Query regarding logging onto a different domain

Posted on 2009-03-29
4
Medium Priority
?
219 Views
Last Modified: 2012-05-06
Hi All

I had a query regarding logging onto a different domain that I hope someone could help me with...

My domain is kam.com. We have emea.kam.com, us.kam.com and canada.kam.com

Each domain has a bunch of DC's and one GC. There is full trust between the domains, and network-wise full access between each as well.

User1 has an account located in the EMEA domain, but travels to the US.

When she logs onto a PC in the US, which DC does she authenticate to?

a) The local DC as defined by the subnet she is on within AD Sites and Services (i.e. a US DC)
b) An EMEA DC, since that is where her account is located
c) A US GC, since the GC would presumabely hold details of her account?

And if she changes her password, where is this replicated to first?

Any help appreciated!
0
Comment
Question by:kam_uk
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 800 total points
ID: 24013193
When she logs into the EMEA domain in the US she is going to authenticated by a EMEA DC, you were right because that is where her account is.
Yes a GC does have details about her account but only "partial" details  -- actually known as the "partial attribute set"
If she changes her password it is changed on the DC she is authenicated to. That info is forwarded on to the PDC emulator.
Thanks
 
MIke
0
 
LVL 27

Accepted Solution

by:
bluntTony earned 1200 total points
ID: 24013377
Yes, the authentication request is referred by the local DC (in the US) back to the emea DC to authenticate. The emea DC grants a Ticket-Granting-Ticket (TGT) which the user then uses to request session tickets, used to access to the resources in the US domain. From then on, authentication for resource access, i.e. granting of session tickets, is granted by the local DCs in the US.

The global catalog is important as it holds universal group membership details for all users in the forest - this is required for users to be able to log in successfully throughout the forest.

If she changes her password, this will be referred back to the DC in the emea domain (as this is where her user account resides). This change is then replicated throughout the user's domain - giving the domain PDC preferential replication (as explained in your other question).
0
 
LVL 3

Author Comment

by:kam_uk
ID: 24064191
Thanks - so I assume the partial information the GC holds about this user does not include the password? Otherwise, it would not need to refer back to a DC in the user's home domain?
0
 
LVL 27

Expert Comment

by:bluntTony
ID: 24067730
That is correct - user passwords are not stored in the GC. A user must always be authenticated by a DC from it's originating domain.
0

Featured Post

New benefit for Premium Members - Upgrade now!

Ready to get started with anonymous questions today? It's easy! Learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Suggested Courses

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question