Well, I call it that way because a user can authenticate with only DCs from its domain available (assuming the requirement for a GC is disabled) but cannot authenticate without a DC from its domain while having a GC available. You are correct that any GC in the forest may be used if the GC requirement is enabled (by default) or even use the crappy "universal group caching feature". So you need a DC from your domain to authenticate and that is why a domain is called the authentication boundary (at least for me ;-) ) So why don't you agree with the "general - forest is the security boundary - statement"? Jorge
________________________________ From: [EMAIL PROTECTED] on behalf of Ulf B. Simon-Weidner Sent: Mon 10/17/2005 11:24 PM To: [email protected] Subject: RE: [ActiveDir] Global Catalog Hmm - I wouldn't 100% call the domain the authentication "boundary". Authentication in a W2k+ Network without any mods not to rely on the GC is done - as you said - via DC of the same domain the account resides plus any GC of the forest - not necessarily that a GC which resides in the same domain is available but the logon will work. Ulf "I also don't agree with the general 'Forest is the security boundary'-statement" B. Simon-Weidner |-----Original Message----- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of |Almeida Pinto, Jorge de |Sent: Monday, October 17, 2005 6:47 PM |To: [email protected]; [email protected] |Subject: RE: [ActiveDir] Global Catalog | |Yes you are correct. The answer is No. A domain within a |forest is the authentication boundary. So when all DCs of |domain "other.biz" are unavailable the users from "other.biz" |will not be able to log on as there is no DC available to |authenticate the user at logon and create the access token. |During logon a GC is contacted to check if universal group |memberships exist for the user account logging on. | |Jorge | |________________________________ | |From: [EMAIL PROTECTED] on behalf of Pete |Sent: Mon 10/17/2005 5:57 PM |To: [email protected] |Subject: [ActiveDir] Global Catalog | | | |Hi | |Just a quick and easy question to profs: | |Can AD domain controller of one domain (one.com) with Global |Catalog function enabled somehow process logon request of user |from different domain (other.biz), in case when all domain |controllers for that other domain (other.biz) are not reachable? | |I believe - no. |Am I right? | |Thanks, | |Pete | | |-- |Bezmaksas e-pasta adreses piedava http://pasts.delfi.lv/ |List info : http://www.activedir.org/List.aspx |List FAQ : http://www.activedir.org/ListFAQ.aspx |List archive: |http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | | |This e-mail and any attachment is for authorised use by the |intended recipient(s) only. It may contain proprietary |material, confidential information and/or be subject to legal |privilege. It should not be copied, disclosed to, retained or |used by, any other party. If you are not an intended recipient |then please promptly delete this e-mail and any attachment and |all copies and inform the sender. Thank you. |List info : http://www.activedir.org/List.aspx |List FAQ : http://www.activedir.org/ListFAQ.aspx |List archive: |http://www.mail-archive.com/activedir%40mail.activedir.org/ | List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
