jskfan
asked on
Active Directory Forest Trust
Active Directory Forest Trust
If I have Forest A and Forest B with 2 way Trust. Would that automatically allows users from one forest to access resources on the other forest ?
I have heard about SID filtering that can be an issue. I would like an Expert to elaborate on that.
Thank you
If I have Forest A and Forest B with 2 way Trust. Would that automatically allows users from one forest to access resources on the other forest ?
I have heard about SID filtering that can be an issue. I would like an Expert to elaborate on that.
Thank you
The two-way trust will make it possibly to access resources in any forest based on permission on the resource, In our environment, we only use one-way trust to make it possibly for users in production forest to access the test forest, but not the opposite.
SID filtering needs to be disabled to allow access resources through SIDhistory of object while migrating objects between domains , but otherwise it can be enabled to raise security. It's automatically enabled on external trusts (forest).
SID filtering needs to be disabled to allow access resources through SIDhistory of object while migrating objects between domains , but otherwise it can be enabled to raise security. It's automatically enabled on external trusts (forest).
ASKER
If it is not about Migrating Users between Forests.
and we choose Forest Wide Authentication.
Can users still access resources in the other forest ?
and we choose Forest Wide Authentication.
Can users still access resources in the other forest ?
If you choose Forest Wide Authentication, the user will auto-authenticate and will be automatically added to Authenticated Users. It means that he has permission to access all resources that is allowed for Authenticated Users.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you Guys
Both comments were answers to your solutions. Feel free to accept both as solutions.
If you choose Selective Authentication, then no. To allow the user to access any resources, you have to:
1. allow him to authenticate to the domain
2. give him permissions (= add him to AD groups). Then the user will get access.
This is definitely more secure because you have a control who is accessing resources in your domain.
If you choose Forest Wide Authentication, the user will auto-authenticate (the step one from Selective Authentication is excluded) and will be automatically added to Authenticated Users. It means that he has permission to access all resources that is allowed for Authenticated Users. This might be an issue. That's why we don't use this option.
https://social.technet.microsoft.com/wiki/contents/articles/50969.active-directory-forest-trust-attention-points.aspx#Forest_Wide_Authentication