Hmm - I wouldn't 100% call the domain the authentication "boundary".
Authentication in a W2k+ Network without any mods not to rely on the GC is done - as you said - via DC of the same domain the account resides plus any GC of the forest - not necessarily that a GC which resides in the same domain is available but the logon will work. Ulf "I also don't agree with the general 'Forest is the security boundary'-statement" B. Simon-Weidner |-----Original Message----- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of |Almeida Pinto, Jorge de |Sent: Monday, October 17, 2005 6:47 PM |To: [email protected]; [email protected] |Subject: RE: [ActiveDir] Global Catalog | |Yes you are correct. The answer is No. A domain within a |forest is the authentication boundary. So when all DCs of |domain "other.biz" are unavailable the users from "other.biz" |will not be able to log on as there is no DC available to |authenticate the user at logon and create the access token. |During logon a GC is contacted to check if universal group |memberships exist for the user account logging on. | |Jorge | |________________________________ | |From: [EMAIL PROTECTED] on behalf of Pete |Sent: Mon 10/17/2005 5:57 PM |To: [email protected] |Subject: [ActiveDir] Global Catalog | | | |Hi | |Just a quick and easy question to profs: | |Can AD domain controller of one domain (one.com) with Global |Catalog function enabled somehow process logon request of user |from different domain (other.biz), in case when all domain |controllers for that other domain (other.biz) are not reachable? | |I believe - no. |Am I right? | |Thanks, | |Pete | | |-- |Bezmaksas e-pasta adreses piedava http://pasts.delfi.lv/ |List info : http://www.activedir.org/List.aspx |List FAQ : http://www.activedir.org/ListFAQ.aspx |List archive: |http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | | |This e-mail and any attachment is for authorised use by the |intended recipient(s) only. It may contain proprietary |material, confidential information and/or be subject to legal |privilege. It should not be copied, disclosed to, retained or |used by, any other party. If you are not an intended recipient |then please promptly delete this e-mail and any attachment and |all copies and inform the sender. Thank you. |List info : http://www.activedir.org/List.aspx |List FAQ : http://www.activedir.org/ListFAQ.aspx |List archive: |http://www.mail-archive.com/activedir%40mail.activedir.org/ | List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
