Solved

Route active directory authentication to different site.

Posted on 2009-05-18
4
344 Views
Last Modified: 2012-05-07
Hi I have an AD forest with several child domains and physical sites connected with VPN connections. Not all sites have VPNs to every other site.
Say I have 3 sites A, B and C
Site A  is connected to Site B by VPN
Site B is connected to Site C by VPN.

We have a top level domain root.com with domain controllers in all three sites. We also have a child domain child.root.com that only has domain controllers in Site C

What I wanted to know is is it possible to configure AD so that a User in Site A can logon to the child domain even if they can't directly route to the domain controller of that domain. Is it possible to get the domain controllers from the parent domain to process the authentication?

Any ideas or is this not possible with a direct connection.
0
Comment
Question by:matthewsj11
  • 2
  • 2
4 Comments
 
LVL 18

Expert Comment

by:Americom
ID: 24411560
The acutal allow authentication will eventually be it's own DC in it's own domain for it's user that exist in that domain, regardless how your AD design topology is configured. So, the only thing I can think of is that user account belong to the child domain in site C trying to logon or authenticate from site A would have problem if the firewall is blocking it. Assuming that you already have trust either by default or manually created between all domains, and your network is connected between A and B as well as B and C, the network connection is connected between A and C via B. Unless you have firewall blocking it. So, in therory, if firewall is not blocking traffic from A to C, you should not have any issue.
0
 
LVL 1

Author Comment

by:matthewsj11
ID: 24411858
There is no direct routing between sites A and C which is why I wanted to know if it was possible to relay the authentication. If possible I want to avoid configuring the routing.

I am guessing that it is not possible.
0
 
LVL 18

Accepted Solution

by:
Americom earned 500 total points
ID: 24412164
That is not possible. The other thing that comes up to my mind is IAS where you can forward authentication request to another domain's IAS. But this also will required you to open connection from IAS server in Site C <-> IAS in Site A. Without connection between the two network, that would not be an option.
0
 
LVL 1

Author Closing Comment

by:matthewsj11
ID: 31582546
Thanks I did not think this was possible but was hoping for a bright idea from someone.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Synchronize a new Active Directory domain with an existing Office 365 tenant
This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

825 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question