Re: Child Domain access

"Pscyime via WinServerKB.com" <forum@xxxxxxxxxxxxxxx> wrote in message
news:51CC808C93E1C@xxxxxxxxxxxxxxxxxx
>
> Hi
>
> Thanks for you explanation Mike,
>
> You wrote...."So you logon TO A PC using a set of credentials from a
> particular domain
> that can be reached by trust relationships to authenticate your account"
>
> as there is a two way trust between child and parent does this not mean i
> should be able to authenticate in the child domain with domain / ent admin
> account which exists in the TRUSTED parent domain?

No. You can only be authenticated by a Domain controller for a domain that
holds your account. So if the PC is in the child domain you can logon to IT
and be authenticated using your account from the parent domain as there is a
trust; and you can choose that parent domain to do your user authentication
at login by dropping down the Domain drop down list (or using a fully
qualify user name)

> If not does this mean if
> an administrator creates a child domain he must also duplicate is
> domain/enterprise admin account in that domain
>

No you never duplicate accounts. The fact that there are transitive trusts
within the forest mean that you can logon to any PC using any account from
any domain in the forest (by default) and that administrators of resources
in a domain can grant access to them for any account or group from any other
domain.

> apologies if I mis understand....i am doing some reading (just passed MCP
> in
> XP and am studying for 2003 as we speak)
>
> I appreciate youtaking time in explaining this scenario
>

--

Regards,

Mike
--
Mike Brannigan [Microsoft]

This posting is provided "AS IS" with no warranties, and confers no
rights

Please note I cannot respond to e-mailed questions, please use these
newsgroups

"Pscyime via WinServerKB.com" <forum@xxxxxxxxxxxxxxx> wrote in message
news:51CC808C93E1C@xxxxxxxxxxxxxxxxxx
>
> Hi
>
> Thanks for you explanation Mike,
>
> You wrote...."So you logon TO A PC using a set of credentials from a
> particular domain
> that can be reached by trust relationships to authenticate your account"
>
> as there is a two way trust between child and parent does this not mean i
> should be able to authenticate in the child domain with domain / ent admin
> account which exists in the TRUSTED parent domain? If not does this mean
> if
> an administrator creates a child domain he must also duplicate is
> domain/enterprise admin account in that domain
>
> apologies if I mis understand....i am doing some reading (just passed MCP
> in
> XP and am studying for 2003 as we speak)
>
> I appreciate youtaking time in explaining this scenario
>
> Regards
>
> Simon
>
>
>
> Mike Brannigan [MSFT] wrote:
>>> Hi
>>>
>>[quoted text clipped - 34 lines]
>>>
>>> Kind regards
>>
>>There is no replication issue here. Everything is working exactly as it
>>should.
>>You can be authenticated by any domain that you have credentials in.
>>So you logon TO A PC - using a set of credentials from a particular domain
>>that can be reached by trust relationships to authenticate your account.
>>So you can logon to any PC in the forest using your domain credentials
>>from
>>any specific domain using your fully qualified domain name or by using the
>>drop down box to select the domain to authenticate you .
>>
>>If this does not make sense then you need to do more reading on the way
>>authentication works in an AD forest - there are lots of articles about
>>this
>>online in TechNet.
>>
>>> Hi
>>>
>>[quoted text clipped - 36 lines]
>>>
>>> Si
>
>
> --
> Message posted via WinServerKB.com
> http://www.winserverkb.com/Uwe/Forums.aspx/windows-server-ad/200507/1


.