Re: Logon Traffic
- From: "Herb Martin" <news@xxxxxxxxxxxxxx>
- Date: Wed, 29 Nov 2006 16:33:47 -0600
"Nigel" <nigel@xxxxxxxxxx> wrote in message
news:%23SM5O%23%23EHHA.924@xxxxxxxxxxxxxxxxxxxxxxx
Hi,
We have a forest with an empty root domain and several child domains such
as
company.local
uk.company.local
no.company.local
The child domains may have several DC's but they all reside within in
their respective local sites. Each site has a GC. No shortcut trusts are
in place.
Domains and sites are TECHNICALLY unrelated.
The whole point of introducing "sites" in Active
Directory was to eliminate (as much as practical)
the need to create Domains to handle location and
replication issues.
Workstations in uk & no can resolve dns for each domain but they are
unable to connect
directly to domain controllers in the other child domains due to routing
and firewalls.
Either fix this or add DCs for each remote domain
to the main (or other remote) site(s).
The root domain controllers are able to connect directly to all child
domains.
This is insufficient for cross-domain logon and
cross-domain resource access.
A user from no.company.local visits a site of uk.company.local and uses a
workstation
that is a member of uk.company.local and tries to log into the
no.company.local domain
In this case I assume the workstation & user will try to authenticate and
will initially
connect to a DC in the local site to authenticate. The local DC will be
able to authenticate
the workstation but not the user. In this case does the local DC forward
the request on
behalf of the user to a DC for no.company.local via a company.local DC or
does the
workstation have to directly connect to a DC in no.company.local?
http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/security/kerberos.mspx
Client computers chase the authentication referrals
themselves, but it really doesn't matter since the
computers in NO have to reach the computers in UK
whether they are DCs or clients (unless you are going
to differentially firewall only part of the computers.)
http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/security/kerberos.mspx
A user from no.company.local visits a site of uk.company.local and uses
his laptop
that is a member of no.company.local and tries to log into the
no.company.local domain
User may be accepted with CACHED credentials for his
own domain when that domain has no DCs available.
For a User from NO trying to logon AT a computer in
UK such caching would not be in force (since there would
be no successful previous logon.)
In this case I assume the workstation & user will try to authenticate and
will initially
connect to a DC in the local site to authenticate. The local DC will not
be able to authenticate
the workstation or the user. In this case does the local DC forward the
requests on behalf of
the user & laptop to a DC for no.company.local via a company.local DC or
does the
workstation have to directly connect to a DC in no.company.local?
It used to be documented this way PRIOR to Active Directory:
Trusts were used by the DCs of Domain1 to authenticate users
of Domain2 to allow logons from Domain1 computers.
I.e., the DCs did the referrals, but notice that Kerberos was
partly invented to AVOID having "servers" (either resource
or Ticket Granting servers) need to follow the referrals for
what could be thousands of client computers/users.
In NT days (prior to AD) there were NO "transitive trusts"
so DCs had to follow the trusts a maximum of 1 hop.
Thanks,
Nigel.
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
.
- Follow-Ups:
- Re: Logon Traffic
- From: Nigel
- Re: Logon Traffic
- References:
- Logon Traffic
- From: Nigel
- Logon Traffic
- Prev by Date: Re: Group Policy Error on 2nd DC when trying to use Domain Controller Security Policy
- Next by Date: Weird Error Please help
- Previous by thread: Re: Logon Traffic
- Next by thread: Re: Logon Traffic
- Index(es):
Relevant Pages
|
Loading
