Cross-domain authentication
Essendon
Member Posts: 4,546 ■■■■■■■■■■
Came up with this scenario, say there is a forest root domain called domain.local and there are two child domains called one.domain.local and two.domain.local. All three domains are in different cities and there is an unreliable link between the forest root and the two child domains. The link between the child domains is however better than the one with the forest root.
If users in one.domain.local need access to resources in two.domain.local, what's better
> Placing a forest root DC in one.domain.local, or
> Placing a DC from two.domain.local in the one.domain.local child domain or
> Creating a forest trust between the two child domains
Sometimes these concepts get confusing
, anyone have a link for a good read on cross domain authentication? Asking this question makes me feel like I'm still a n00b.
If users in one.domain.local need access to resources in two.domain.local, what's better
> Placing a forest root DC in one.domain.local, or
> Placing a DC from two.domain.local in the one.domain.local child domain or
> Creating a forest trust between the two child domains
Sometimes these concepts get confusing
, anyone have a link for a good read on cross domain authentication? Asking this question makes me feel like I'm still a n00b. Comments
-
Asif Dasl
Member Posts: 2,116 ■■■■■■■■□□
There is a transitive trust between 1 and 2 domains. But in the senario suggested you would create a shortcut trust between 1 & 2 domains so authentication requests wouldn't walk the tree, they would take the shorter & faster shortcut trust.
Technet - When to create a shortcut trust -
Essendon
Member Posts: 4,546 ■■■■■■■■■■
Thanks for the reply, let's say I cant create a shortcut trust for whatever reason. Would you go with a or b? I'd say b as that would also provide quicker authentication, right? Also in what case would you go with b?
-
Asif Dasl
Member Posts: 2,116 ■■■■■■■■□□
You wouldn't place a DC in to any site. Authentication would walk the tree going through the forrest root domain. The domains trust each other so there is no need to place a DC in domain 1 or 2. The existing DCs in each site authenticate for their own domain as well forwarding authentication requests to the other trusted domains.
Technet - Accessing resources across domains -
Essendon
Member Posts: 4,546 ■■■■■■■■■■
You wouldn't place a DC in to any site. Authentication would walk the tree going through the forrest root domain. The domains trust each other so there is no need to place a DC in domain 1 or 2. The existing DCs in each site authenticate for their own domain as well forwarding authentication requests to the other trusted domains.
Technet - Accessing resources across domains
Understood and thank you for the link. Let's bring the reliability of the link between the root and the child domains into play, would you still not put a DC from two.domain.local into one.domain.local?
I'll have a good read of that link you provided. -
Asif Dasl
Member Posts: 2,116 ■■■■■■■■□□
If the link between the forest root domain and the child domain went down then hopefully you could use the shortcut trust to the opposing child domain (along whatever site-to-site link exists between the child domains) If there is no shortcut trust then you would not be able to authenticate.
If the link between the child domains went down then you would walk the tree through the forest root domain.
You would not use extra DCs in opposing sites as that would just double or triple the amount of DCs required to improve authentication. Multiply that by 50 sites that would be a huge doubling up of resources.