Solved

Route active directory authentication to different site.

Posted on 2009-05-18
4
338 Views
Last Modified: 2012-05-07
Hi I have an AD forest with several child domains and physical sites connected with VPN connections. Not all sites have VPNs to every other site.
Say I have 3 sites A, B and C
Site A  is connected to Site B by VPN
Site B is connected to Site C by VPN.

We have a top level domain root.com with domain controllers in all three sites. We also have a child domain child.root.com that only has domain controllers in Site C

What I wanted to know is is it possible to configure AD so that a User in Site A can logon to the child domain even if they can't directly route to the domain controller of that domain. Is it possible to get the domain controllers from the parent domain to process the authentication?

Any ideas or is this not possible with a direct connection.
0
Comment
Question by:matthewsj11
  • 2
  • 2
4 Comments
 
LVL 18

Expert Comment

by:Americom
Comment Utility
The acutal allow authentication will eventually be it's own DC in it's own domain for it's user that exist in that domain, regardless how your AD design topology is configured. So, the only thing I can think of is that user account belong to the child domain in site C trying to logon or authenticate from site A would have problem if the firewall is blocking it. Assuming that you already have trust either by default or manually created between all domains, and your network is connected between A and B as well as B and C, the network connection is connected between A and C via B. Unless you have firewall blocking it. So, in therory, if firewall is not blocking traffic from A to C, you should not have any issue.
0
 
LVL 1

Author Comment

by:matthewsj11
Comment Utility
There is no direct routing between sites A and C which is why I wanted to know if it was possible to relay the authentication. If possible I want to avoid configuring the routing.

I am guessing that it is not possible.
0
 
LVL 18

Accepted Solution

by:
Americom earned 500 total points
Comment Utility
That is not possible. The other thing that comes up to my mind is IAS where you can forward authentication request to another domain's IAS. But this also will required you to open connection from IAS server in Site C <-> IAS in Site A. Without connection between the two network, that would not be an option.
0
 
LVL 1

Author Closing Comment

by:matthewsj11
Comment Utility
Thanks I did not think this was possible but was hoping for a bright idea from someone.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

My last post dealt with using group policy preferences to set file associations, a very handy usage for a GPP. Today I am going to share another cool GPP trick, this may be a specific scenario but I run into these situations frequently in my activit…
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now