Re: How to setup authentication across domains within a forest?

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: Matt Hickman (hemo_jr_at_space.com)
Date: 04/13/04 

Date: 13 Apr 2004 12:52:12 -0700

"Ed Levis" <edlevis@yahoo.com> wrote in message news:<27d401c420d2$0ca0c3e0$7d02280a@phx.gbl>...
> We are thinking of configuring 3 regional [NA|EU|AP]
> domains within a single AD forest. Our primary goal is
> efficient replication; secondary goal is domain level
> resource management. Our biggest concern re: this
> approach is the need to deploy one or more DCs for each
> domain in each region or the risk of users encountering
> authentication problems when traveling between regions.

If a user ID from say the EU domain tries to get authenticated
in the AP domain, the AU DC authenticating that ID will contact
the nearest global catalog server to locate the ID's home
domain. The query travels a trust path to get to the home
domain. A shortcut trust can minimize the trust path and
hopefully minimized authentication problems.
   
> Is there some way we can design our AD environment such
> that all DCs share a local copy of a forest-wide
> authentication db (??) and users authenticate to the
> closest DC in the forest, regardless of the domain in
> which it resides? Any suggestions would be much
> appreciated.

Intelligent use of sites and the judicious scheduling of site
replication will help minimize WAN traffic during high traffic
hours. The latency resulting from this may be acceptable
for a single domain, or not -- that is your call. If you want
a local copy of a forest wide authentication db, use a single
domain.

http://www.microsoft.com/windows2000/techinfo/reskit/deploymentscenarios/scenarios/repl_design_sitetopology_active_directory_repl.asp

The link above should give some more ideas. 

-- 
Matt Hickman   
  I object to conscription the way a lobster objects to boiling 
  water; it may be his finest hour but it is not his choice.
                          Robert A. Heinlein (1907 - 1988)
                         _Glory Road_ 1963

Relevant Pages

  • Re: FTP for internal users and external customers.
    ... Secure network architecture and authentication, ... the security boundary in AD is the forest ... Yet there's one thing that's not justified: putting the external user in DMZ ... any connections coming from the internet has to ...
    (microsoft.public.security)
  • Re: DC and GC
    ... In a single domain forest, a DC and a DC as a GC are considered (For the ... A GC holds the sids for all Universal Groups the ... authentication process, the user is validated (the domain controller ...
    (microsoft.public.windows.server.active_directory)
  • Re: AD DMZ configuration
    ... I don't really see how this could help you segementating authentication traffic. ... The only way I see is to place a replica DC from you internal forest into the DMZ "next to" the web server and use IPSec between this replica and the internal DC's. ... then create a Universal Group in theDMZholding the global> groups ...
    (microsoft.public.windows.server.active_directory)
  • Re: Outlook IMAP SMTP Send Eror 454 4.7.0 Temporary authentication
    ... Client connector configuration? ... Exchange is installed in a resource forest and the user credentials are ... both Outlook IMAPS and Thunderbird IMAPS. ... Also, because it's an authentication error, I'd want to recheck the ...
    (microsoft.public.exchange.clients)
  • Re: best dns config for new tree in forest
    ... tree to migrate all of my child domains into. ... If it is in a new forest there is only ONE way to setup AD Integrated DNS ... Use either All DNS-DCs in the Domain, or use ALL DCs (if you have ... If you do it this way you have more efficient replication in most cases. ...
    (microsoft.public.windows.server.dns)