Re: Forest Trusts are backwards?

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: Ace Fekay [MVP] (PleaseSubstituteMyActualFirstName&LastNameHere_at_hotmail.com)
Date: 09/27/04 

Date: Sun, 26 Sep 2004 23:09:33 -0400

In news:2ro12kF1clet0U1@uni-berlin.de,
Spin <spin@spin.com> made a post then I commented below
> Gurus,
>
> Given two Windows Server 2003 forests.
>
> I originally created Forest A.
> Then I created Forest B, which sits in a DMZ.
> Both forests are in the same network infrastructure.
>
> I want Forest B in the DMZ to trust my original Forest A, but do not
> want Forest A to trust Forest B in case Forest B gets compromised.
>
> I created what I thought was correct, a one-way outgoing trust from
> Forest B pointing to Forest A. In Forest B, at the CTL+ALT+DEL logon
> box, I have the option to log into either Forest A or B. In Forest
> A, I only have the option to log into Forest A.
>
> Question #1) Shouldn't this be the other way around? In my situation
> B trusts A and I can log into either A or B from at any computer in
> Forest B. At any computer in Forest A, I can only log into Forest A.
> Question #2) In Forest B, once I make a connection to any computer in
> Forest A and specify a username and password, all subsequent
> connections to that computer do not prompt for a username and
> password. I do not want this behavior. I heard this was due to
> Credential Manager but I looked that up and it seems to apply only to
> Windows XP. Can some expert please un-confuse me?

Just to reiterate Scott, not a good idea.

You're probably better off creating an identical user/pass on both domains
so you can access resources both ways.

As for the trust directions, if B trusts A, then you're letting A accounts
into the B domain, hence why the A domain will not show the B domain in the
dropdown list. 

-- 
Regards,
Ace
Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.
This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.
Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services
Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.
-- 
=================================

Relevant Pages

  • Re: 2000 to 2003
    ... |I think you plan is OK as promoting a Windows Server 2003 DC and extending ... |the forest schema are separate steps. ... ||> We must run the Adprep commands to update the schema in the existing ... ||> information about using Adprep see Active Directory Help. ...
    (microsoft.public.windows.server.migration)
  • Cross Forest Trusts
    ... production versions of Windows Server 2003. ... to establish forest to forest trusts, ... Both boxes have the forest functional level raised to ...
    (microsoft.public.windows.server.active_directory)
  • Re: 2000 to 2003
    ... I think you plan is OK as promoting a Windows Server 2003 DC and extending ... the forest schema are separate steps. ... |> We must run the Adprep commands to update the schema in the existing ...
    (microsoft.public.windows.server.migration)
  • Re: Joining two domains
    ... if both are w2k3 with forest functional level windows server 2003 you CAN ... or you can always create an external trust ... BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ...
    (microsoft.public.win2000.active_directory)
  • RE: 2000 to 2003
    ... We must run the Adprep commands to update the schema in the existing forest ... if we try to promote the Windows Server replica DC without ...
    (microsoft.public.windows.server.migration)