Solved

how does work the authentication in a Forest Trust  ?

Posted on 2012-03-23
3
591 Views
Last Modified: 2012-03-26
Hi Experts,
here is my pb :

I've got a Forest A (with only 1 domain, 2003 native mode), i've got another Forest B (with 1 root domain, and 20 child domains, 2003 native mode).

I opened network flow through Firewall to let communicate DCs from domain A and DCs from the root domain B .

So i was able to make a forest trust without problem.

I can add user from the root  B to groups of the domain A.

But now, if I want to add users from childs domains of the forest B to groups of domain A, i've got an error like " unable to communicate to the domain controller".

My question is : Should I open network flow between Forest 1 DCs and all DCs of the Forest B ? (included all childs domains DCs)
If yes, I can't understand where is the benefit to make a trust forest instead of multiple domains trusts.

Or maybe in my configuration i've to work with command line to manage AD ?


Thanks !
0
Comment
Question by:Carlito985
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 26

Assisted Solution

by:Leon Fester
Leon Fester earned 500 total points
ID: 37756491
You should still open firewall rules to allow you DC's in your child domain to connect to the other forest.

While the forest trust allows you to setup only one trust for all your domain, each domain controller will do it's own authentication requests to the

This article should show you nicely how it works.
Check out the setions for
Trust Architecture
Trust Processes and Interactions

http://technet.microsoft.com/en-us/library/cc773178(v=ws.10).aspx
0
 
LVL 1

Author Comment

by:Carlito985
ID: 37756514
Thanks !
I understood, But with your comment, i don't understand the benefit of a shortcut trust, can you explain me ?
0
 
LVL 26

Accepted Solution

by:
Leon Fester earned 500 total points
ID: 37756903
My statements is based on the understaning of how the trust hierarchy and authentication flow
works.

As soon as you introduce a shortcut trust you're essentially changing the authentication flow so that it no longer needs to traverse the trust hierachy.

A shortcut trust doesn’t give either domain access to anything new, but rather it just sorta introduces the two domains to each other. Once the shortcut trust is in place, the two domains can access each other directly without having to traverse the forest in an attempt to locate a domain controller.

Also remember, a shortcut trust can only be created between domains in the same forest.

Your multi-domain forest may be a good candidate for a shortcut trust if you have roaming users user who are complaining about the amount of time it takes for them to be authenticated.

Check out this article, it's not quite for your scenario, but it shows how shortcut trusts can be used to reduce/improve the authentication flow.

http://technet.microsoft.com/en-us/library/cc794918(v=ws.10).aspx
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question