Re: Child Domains

Tech-Archive recommends: Speed Up your PC by fixing your registry

"D Warner" <DWarner@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:4A1644BE-2415-434A-88A2-8AA69531D707@xxxxxxxxxxxxxxxx
I have a parent domain at the corporate office. I have added a child
domain
at a remote site with 1 DC/GC. The remote site will have multipe Member
servers of the Child Domain. From the corporate office I want to log in
to a
member server of the child domain with my parent domain account.

Then you will be logging INTO your domain, to use resources
on the server or even to logon AT that server (e.g., with Terminal
Services.)

Is it
possible to for the member server do its authenication to the child's
Domain
Controller and not come back over the WAN to authenicate to the Parent's
DC?

That's not the way AD authentication works but it is
as good or better than you are assuming:

The Logon (wherever you logon) authenticates the
user in his/her OWN domain and provides both
Kerbors "ticket granting ticket" AND the normal
Windows Security Access Token.

When you access a server the CLIENT machine
will either use those existing credentials or get
a ticke (perhaps from another domain) to access
a server's resources.

With the child DC being a Global Catalog it should be able to do this
right?

Authentication is NOT done at a GC (in it's guise as a GC)
but by Domain Controllers.

Domain Controllers are also used to traverse the
"referrel path" for resource in other domains (i.e.,
other domain DCs are used.)

The issue is I don't want to open up all the AD ports (Ldap, Kerbeos, RPC,
etc) on the firewall to all the member servers.

Member servers have to authenticate THEMSELVES when
they boot anyway.

So you will need them to be able to talk to AT LEAST
a DC of their own domain.

I just want to have the
ports open for the Domain controllers. Plus authenication will be much
quicker locally.

Clients (and member servers or computers) will normally
authenticate to a local DC anyway, but both users AND
computers (including member servers) need to authenticate.

I got 2 different Sites and Subnets setup. This should
work right?

The Sites will help control replication (efficiently across
the WAN) and the authentication will NORMALLY happen
in the same SITE IF there is a DC present in that site.

If not, I totally misplanned. Thanks for any help in this
matter.


--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]


.

Relevant Pages

  • Re: net use and LM / NTLM
    ... Kerberos authentication is used between Windows 2000 machines in a Windows ... verify that all domain controllers for users who log on to ... controllers") MUST have been upgraded to SP4. ... with earlier servers exactly as it did with Service Pack 3. ...
    (Focus-Microsoft)
  • Re: delete computer
    ... member servers are not deleted? ... Your script can check the operatingSystem attribute to make sure the ... the ability to delete domain controllers ... would belong only to domain admins; for member servers this might be ...
    (microsoft.public.scripting.vbscript)
  • W32time NET ID 50, Help PLEASE!!
    ... story) with about 30 Windows 2003 Member servers. ... The time service is no longer synchronized and cannot provide the ...
    (microsoft.public.windows.server.general)
  • Re: Enumerate Windows NT4 *Servers*
    ... snippet that also excludes domain controllers from the search results: ... Are you saying the value of operatingSystem is the same for member servers ... Can't use the nTDSDSA object I'm afraid - as I'm looking for NT4 ...
    (microsoft.public.windows.server.scripting)
  • Re: Security templates and IUSR account log on locally
    ... member servers but not web servers, you can't connect from a member server ... template for web servers, anon authentication breaks. ...
    (microsoft.public.inetserver.iis.security)