there isn't a simple answer to this, as it depends on
multiple factors
- the domain model within your forests and the trusts that
you've setup between the two
- the SP level of 2000
(and it works quite a bit different once you have 2003
forests)
but as a start: when you are _accessing_ a resource in a
trusted forest B from a worstation in forest A, this is NOT a cross-forest
login process. You are merely being _authorized_ to access the resource
(the authentication of your account has already happened in your forest A).
Actually, for Windows 2000, we can't really speak of two _forests_ that trust
each other, as 2000 can only support NTLM trusts to domains outside it's own
forest (just like a trust between two NT4 domains). This means, you're not
setting up a trust from forest A to forest B, instead you have to setup trusts
between all domains of each forest (if the forests are both single-domain
forests, then it merely looks like you're building a forest trust). Assuming
single domains, we'll continue speaking of trusted forests. By forest B trusting
forest A, the authenticated user from forest A is allowed to accesss those
resources, where you grant the user (or a group that the user is a
member of) the appropriate permissions.
However, as the trust between the two is built on NTLM (and
not Kerberos), when the authenticated user from forest A accesses the resources
in forest B, the NTLM token will be validated again against a DC
from forest A (unlike Kerberos, where the token is enough to autorize
access to the resource).
If the user from forest A walks up to a workstation in
forest B, his authentication is naturally triggered on the workstation in
forest B. This workstation follows the trust-relationship between the
forest/domain it's a member of and the user is finally authenticated via a DC/GC
in forest A. So in this example, which are the GPO's that are
applied to the user and the workstation?? Prior to SP4, the user's GPOs
from forest/domain A are automatically applied as well as the workstation GPOs
from forest/domain B. With SP4 you can explicitely configure the GPOs in
each of the domains to allow you to determine GPO processing in "cross-forest"
scenarios (i.e. by default, the user GPO from forest/domain A would NOT be
applied to the user logging on to a workstation in forest/domain
B).
/Guido
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Montag, 1. M�rz 2004 18:13
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Can someone describe teh cross-forest login process?
I am looking for a brief synposis of the Windows 2000 cross-forest login process.
User in Forest A, accesses Resource in Forest B (one-way trust where Forest B trusts Forest A). How does the user get authenticated?
Specifically, when a resource is trying to authenticate a user from a trusted remote forest, does the authentication request only touch a local DC (presumably a GC) or does the authenticating server query a remote forest Domain Controller?
Thanks for any and all responses that shed light on this for me :-)
Michael Parent MCSE MCT
Analyst I - Web Services
ITOS - Systems Enablement
Maritime Life Assurance Company
(902) 453-7300 x3456
