|So why don't you agree with the "general - forest is the |security boundary - statement"?
Cause IMHO the domain is a security boundary against accidential security issues, the forest against malicious/criminal. Companies usually trust their admins of different domains but might want to protect them against accidential mistakes or gaining rights easily. A different domain would be sufficient then. However if you want to protect yourself against admins with criminal energy (and I consider manipulating SID-History on purpose as criminal energy) the forest is the security boundary. So I agree a plain vanilla statement "the domain is the security boundary" is wrong, however I don't like the same plain vanilla statement of the forest - should be more clearly pointed out if we are talking about criminal intentions or accidential intentions (which includes let's try quickly if we are able to ... - does not include hacking). Ulf |-----Original Message----- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of |Almeida Pinto, Jorge de |Sent: Monday, October 17, 2005 11:59 PM |To: [email protected]; [email protected] |Subject: RE: [ActiveDir] Global Catalog | |Well, I call it that way because a user can authenticate with |only DCs from its domain available (assuming the requirement |for a GC is disabled) but cannot authenticate without a DC |from its domain while having a GC available. You are correct |that any GC in the forest may be used if the GC requirement is |enabled (by default) or even use the crappy "universal group |caching feature". So you need a DC from your domain to |authenticate and that is why a domain is called the |authentication boundary (at least for me ;-) ) | |So why don't you agree with the "general - forest is the |security boundary - statement"? |Jorge | |________________________________ | |From: [EMAIL PROTECTED] on behalf of Ulf B. |Simon-Weidner |Sent: Mon 10/17/2005 11:24 PM |To: [email protected] |Subject: RE: [ActiveDir] Global Catalog | | | |Hmm - I wouldn't 100% call the domain the authentication "boundary". | |Authentication in a W2k+ Network without any mods not to rely |on the GC is done - as you said - via DC of the same domain |the account resides plus any GC of the forest - not |necessarily that a GC which resides in the same domain is |available but the logon will work. | |Ulf "I also don't agree with the general 'Forest is the |security boundary'-statement" B. Simon-Weidner | ||-----Original Message----- ||From: [EMAIL PROTECTED] ||[mailto:[EMAIL PROTECTED] On Behalf Of |Almeida Pinto, ||Jorge de ||Sent: Monday, October 17, 2005 6:47 PM ||To: [email protected]; [email protected] ||Subject: RE: [ActiveDir] Global Catalog || ||Yes you are correct. The answer is No. A domain within a |forest is the ||authentication boundary. So when all DCs of domain "other.biz" are ||unavailable the users from "other.biz" ||will not be able to log on as there is no DC available to |authenticate ||the user at logon and create the access token. ||During logon a GC is contacted to check if universal group |memberships ||exist for the user account logging on. || ||Jorge || ||________________________________ || ||From: [EMAIL PROTECTED] on behalf of Pete ||Sent: Mon 10/17/2005 5:57 PM ||To: [email protected] ||Subject: [ActiveDir] Global Catalog || || || ||Hi || ||Just a quick and easy question to profs: || ||Can AD domain controller of one domain (one.com) with Global Catalog ||function enabled somehow process logon request of user from different ||domain (other.biz), in case when all domain controllers for |that other ||domain (other.biz) are not reachable? || ||I believe - no. ||Am I right? || ||Thanks, || ||Pete || || ||-- ||Bezmaksas e-pasta adreses piedava http://pasts.delfi.lv/ ||List info : http://www.activedir.org/List.aspx ||List FAQ : http://www.activedir.org/ListFAQ.aspx ||List archive: ||http://www.mail-archive.com/activedir%40mail.activedir.org/ || || || || ||This e-mail and any attachment is for authorised use by the intended ||recipient(s) only. It may contain proprietary material, confidential ||information and/or be subject to legal privilege. It should not be ||copied, disclosed to, retained or used by, any other party. |If you are ||not an intended recipient then please promptly delete this e-mail and ||any attachment and all copies and inform the sender. Thank you. ||List info : http://www.activedir.org/List.aspx ||List FAQ : http://www.activedir.org/ListFAQ.aspx ||List archive: ||http://www.mail-archive.com/activedir%40mail.activedir.org/ || | | |List info : http://www.activedir.org/List.aspx |List FAQ : http://www.activedir.org/ListFAQ.aspx |List archive: |http://www.mail-archive.com/activedir%40mail.activedir.org/ | | |List info : http://www.activedir.org/List.aspx |List FAQ : http://www.activedir.org/ListFAQ.aspx |List archive: |http://www.mail-archive.com/activedir%40mail.activedir.org/ | List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
