Andrew, Really interesting problem that you're experiencing here. I can't say that I have seen this, but I would say in my experience I've worked with a few multi-tree and multi-forest scenarios. Both the multi-tree and forest would naturally use a different DNS namespace for each tree or forest.
I don't see this behavior, so it is concerning. You note that this is Windows Server 2003. Is there anything that you can detail about the DNS configuration? Being a Realm 'root', is the DNS on BIND? (Not that it's a bad thing...) How do the clients find the DNS that is authoritative for a given domain, (standard forwarding, conditional, stub zones) and where are the glue records for the specific cross-domain resolution (stub zones or secondaries)? If this was Windows 2000, I'd be more apt to be asking questions about the configuration of the trusts - are they set as transitive for the Realm Trusts? On and on and so forth... 2K3 seems to have resolved much of that issue. Rick -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andrew Riley Sent: Wednesday, June 22, 2005 4:06 PM To: [email protected] Subject: [ActiveDir] Windows -> MIT Cross-realm auth to domains not in the same dns hierarchy A few months ago I started aproject to allow a Windows domain to trust another windows domain that trusts an MIT Kerberos Realm for user logons. An example of this setup would be SCHOOL.EDU <- our MIT Realm AD.SCHOOL.EDU <- the Windows domain that trusts the MIT Realm OTHER.AD.SCHOOL.EDU <- a trusting windows domain All of the Windows servers are Windows Server 2003. We have established a forest trust between the two Windows domains/forests, entered a new Domain Suffix in AD.SCHOOL.EDU for SCHOOL.EDU, established a REALM Trust between AD.SCHOOL.EDU and SCHOOL.EDU, used KSETUP or registry entries to add the references to the KDCs for SCHOOL.EDU on the workstations in OTHER.AD.UPENN.EDU. Additionally users in AD.SCHOOL.EDU have a name mapping to their MIT kerberos principal. In this setup, someone with a user account in AD.SCHOOL.EDU can walk up to a workstation in OTHER.AD.SCHOOL.EDU, and enter their MIT kerberos principal and password, and select SCHOOL.EDU(Kerberos Realm) from the "Log on to:" box and be authenticated as their user account in AD.SCHOOL.EDU. The preceding solution works great, but I've found that if we establish a trust to a domain such as DOMAIN.SCHOOL.EDU (not in the same DNS hierarchy as AD.SCHOOL.EDU) then user logons fail. I've gone as far as setting up 2 other domains in a different DNS hierarchy and then swapping the trust around between the 4 and it's definitely something to do with how the domains are arranged DNS-wise. None of them are in the same forests, so It seems like some parent DNS suffix fallback that's being applied, but I have no idea where to look. Any ideas? thanks andrew List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
