External vs Forest Trusts

deneb829

I am having a problem grasping the difference between an external trust relationship and a forest trust. The question speaks of a user using his credentials located in DOMAIN A to log into DOMAIN B and not being able to. The answer suggests matching the user's UPN logon name with their pre-windows 2000 login name (which are different) as a means to fix this issue. Couldn't the user log into DOMAIN B with usera@DOMAINA.com?

Slowhand

The user should be able to log on with his credentials from DOMAIN A in DOMAIN B, that's the whole idea of trusts. The main difference between forest trusts and external trusts is that with forest trusts, you're setting up internal trusts between domains of the same forest. In the end, they're all under the same AD forest, but in seperate trees or domains. Setting up an external trust is tricker, because you're trying to communicate from forest to forest, without necessarily having the same Domain Controllers in common. (Not that you always have that within the forest, but it's easier to deal with there.)

I have no clue as to why the pre-Windows 2000 logon should have to be the same as the UPN logon ID, I'm guessing there's some other information here that's probably assumed in the scenario. If the domains trying to communicate are in pre-Windows 2000 mode, or running other OS'es besides Windows, I guess that could help solve some problems. Otherwise. . . eh. . . well. . . you got me. Still, though, I can't help but think this is more of a question for the 70-291 test. For the 70-290, I doubt you have to know such detailed information about the hows and the whys of trusts, just that there are differences between domains inside and outside the same tree and/or the same forest.

deneb829

Thanks Slowhand,

I thought this was a strange question for 70-290 because I saw very little about trusts in the study material for this exam. Hopefully, I won't see this kind of question on the exam.