[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Route active directory authentication to different site.

Posted on 2009-05-18
4
Medium Priority
?
351 Views
Last Modified: 2012-05-07
Hi I have an AD forest with several child domains and physical sites connected with VPN connections. Not all sites have VPNs to every other site.
Say I have 3 sites A, B and C
Site A  is connected to Site B by VPN
Site B is connected to Site C by VPN.

We have a top level domain root.com with domain controllers in all three sites. We also have a child domain child.root.com that only has domain controllers in Site C

What I wanted to know is is it possible to configure AD so that a User in Site A can logon to the child domain even if they can't directly route to the domain controller of that domain. Is it possible to get the domain controllers from the parent domain to process the authentication?

Any ideas or is this not possible with a direct connection.
0
Comment
Question by:matthewsj11
  • 2
  • 2
4 Comments
 
LVL 18

Expert Comment

by:Americom
ID: 24411560
The acutal allow authentication will eventually be it's own DC in it's own domain for it's user that exist in that domain, regardless how your AD design topology is configured. So, the only thing I can think of is that user account belong to the child domain in site C trying to logon or authenticate from site A would have problem if the firewall is blocking it. Assuming that you already have trust either by default or manually created between all domains, and your network is connected between A and B as well as B and C, the network connection is connected between A and C via B. Unless you have firewall blocking it. So, in therory, if firewall is not blocking traffic from A to C, you should not have any issue.
0
 
LVL 1

Author Comment

by:matthewsj11
ID: 24411858
There is no direct routing between sites A and C which is why I wanted to know if it was possible to relay the authentication. If possible I want to avoid configuring the routing.

I am guessing that it is not possible.
0
 
LVL 18

Accepted Solution

by:
Americom earned 1500 total points
ID: 24412164
That is not possible. The other thing that comes up to my mind is IAS where you can forward authentication request to another domain's IAS. But this also will required you to open connection from IAS server in Site C <-> IAS in Site A. Without connection between the two network, that would not be an option.
0
 
LVL 1

Author Closing Comment

by:matthewsj11
ID: 31582546
Thanks I did not think this was possible but was hoping for a bright idea from someone.
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
Transferring FSMO roles is done when an admin wants to split roles between certain Domain Controllers or the Domain Controller holding the Roles has been forcefully demoted using dcpromo / forceremoval
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question