?
Solved

Route active directory authentication to different site.

Posted on 2009-05-18
4
Medium Priority
?
347 Views
Last Modified: 2012-05-07
Hi I have an AD forest with several child domains and physical sites connected with VPN connections. Not all sites have VPNs to every other site.
Say I have 3 sites A, B and C
Site A  is connected to Site B by VPN
Site B is connected to Site C by VPN.

We have a top level domain root.com with domain controllers in all three sites. We also have a child domain child.root.com that only has domain controllers in Site C

What I wanted to know is is it possible to configure AD so that a User in Site A can logon to the child domain even if they can't directly route to the domain controller of that domain. Is it possible to get the domain controllers from the parent domain to process the authentication?

Any ideas or is this not possible with a direct connection.
0
Comment
Question by:matthewsj11
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 18

Expert Comment

by:Americom
ID: 24411560
The acutal allow authentication will eventually be it's own DC in it's own domain for it's user that exist in that domain, regardless how your AD design topology is configured. So, the only thing I can think of is that user account belong to the child domain in site C trying to logon or authenticate from site A would have problem if the firewall is blocking it. Assuming that you already have trust either by default or manually created between all domains, and your network is connected between A and B as well as B and C, the network connection is connected between A and C via B. Unless you have firewall blocking it. So, in therory, if firewall is not blocking traffic from A to C, you should not have any issue.
0
 
LVL 1

Author Comment

by:matthewsj11
ID: 24411858
There is no direct routing between sites A and C which is why I wanted to know if it was possible to relay the authentication. If possible I want to avoid configuring the routing.

I am guessing that it is not possible.
0
 
LVL 18

Accepted Solution

by:
Americom earned 1500 total points
ID: 24412164
That is not possible. The other thing that comes up to my mind is IAS where you can forward authentication request to another domain's IAS. But this also will required you to open connection from IAS server in Site C <-> IAS in Site A. Without connection between the two network, that would not be an option.
0
 
LVL 1

Author Closing Comment

by:matthewsj11
ID: 31582546
Thanks I did not think this was possible but was hoping for a bright idea from someone.
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
Let's recap what we learned from yesterday's Skyport Systems webinar.
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses
Course of the Month14 days, 20 hours left to enroll

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question