Re: How to setup authentication across domains within a forest?

From: Ulf B. Simon-Weidner [MVP] (nospam2-ulf_at_usw-consulting.com)
Date: 04/12/04 

Date: Mon, 12 Apr 2004 23:56:39 +0200

Ed Levis says...
> We are thinking of configuring 3 regional [NA|EU|AP]
> domains within a single AD forest. Our primary goal is
> efficient replication; secondary goal is domain level
> resource management. Our biggest concern re: this
> approach is the need to deploy one or more DCs for each
> domain in each region or the risk of users encountering
> authentication problems when traveling between regions.
> Is there some way we can design our AD environment such
> that all DCs share a local copy of a forest-wide
> authentication db (??) and users authenticate to the
> closest DC in the forest, regardless of the domain in
> which it resides? Any suggestions would be much
> appreciated.
>
Hello Ed,

I'd suggest reading a good AD Book or visit the MOC-Course for
designing Active Directory. Or read the Ressource Kit or Deployment
Kits online. There are not that many reasons why you need multiple
domains, and resource management is not one of them (usually, there may
be exceptions). You are able to split resource management by using OUs
in the Active Directory.

Common Reasons for splitting up into multiple Domains are usually:
- Different Account Policies, like Password Complexity
- Different Security Boundaries (somewhat)
- Partitioning of AD DB-Size

BTW - the ressource kits are online available at
www.reskit.com

Gruesse - Sincerely,

Ulf B. Simon-Weidner

Relevant Pages

  • Re: FTP for internal users and external customers.
    ... Secure network architecture and authentication, ... the security boundary in AD is the forest ... Yet there's one thing that's not justified: putting the external user in DMZ ... any connections coming from the internet has to ...
    (microsoft.public.security)
  • Re: DC and GC
    ... In a single domain forest, a DC and a DC as a GC are considered (For the ... A GC holds the sids for all Universal Groups the ... authentication process, the user is validated (the domain controller ...
    (microsoft.public.windows.server.active_directory)
  • Re: AD DMZ configuration
    ... I don't really see how this could help you segementating authentication traffic. ... The only way I see is to place a replica DC from you internal forest into the DMZ "next to" the web server and use IPSec between this replica and the internal DC's. ... then create a Universal Group in theDMZholding the global> groups ...
    (microsoft.public.windows.server.active_directory)
  • Re: Outlook IMAP SMTP Send Eror 454 4.7.0 Temporary authentication
    ... Client connector configuration? ... Exchange is installed in a resource forest and the user credentials are ... both Outlook IMAPS and Thunderbird IMAPS. ... Also, because it's an authentication error, I'd want to recheck the ...
    (microsoft.public.exchange.clients)
  • Re: How to setup authentication across domains within a forest?
    ... > domains within a single AD forest. ... > efficient replication; ... > authentication problems when traveling between regions. ... The query travels a trust path to get to the home ...
    (microsoft.public.windows.server.active_directory)