If both domains are single domain forests then a Forest trust isn't as big a deal since it's major selling point is that the trust is transitive. I suppose that you also would be able to use Kerberos for cross forest authentication, which is a nice feature that I don't believe is available in external trusts.
Phil -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sakari Kouti Sent: Thursday, January 06, 2005 4:43 PM To: [email protected] Subject: RE: [ActiveDir] Forest trusts vs trusts within forests Hi David, In addition to SID filtering, you can protect a trust between domains in two forests (either a forest trust or an external trust) by using selective authentication (SA). SA is sometimes called authentication firewall, and the idea is that only listed users can access only listed servers across the trust (in addition to traditional share and NTFS permissions). If the new domain creates a new forest, its domain admins are not subject to the Enterprise Admins of the existing forest. This may or may not be of relevance to you. I'm not sure if I understand your last question, but a forest trust is only possible, if both forest are on the WS2003 FFL. Yours, Sakari > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, > David A > Sent: Thursday, January 06, 2005 10:32 PM > To: [email protected] > Subject: [ActiveDir] Forest trusts vs trusts within forests > > Happy New Year ! > I'm having a design discussion with myself about adding a forest vs > adding a domain to an existing forest. I understand about the > automatic transitive trust between domains in a forest, and how it's > possible for a clever domain admin in a subdomain to compromise the > entire forest. > What I'm shaky on is this: If you had two single-domain forests, and > established trusts in both directions between them, do you have the > same issues ? I would think not, because the configuration and schema > NCs are not shared between them, but I'm looking for some confirmation > on that. Also, since we're talking about two single-domain forests, > I'm guessing that the 'forest trusts' available in W2K3 FFL don't > really come into play here, correct ? In other words, getting the > first domain to W2K3 FFL doesn't buy anything with respect to this > trust ? > > Thanks, > Dave > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
