if you're not going to add other domains to any of the
forests, you'll basically have the same "reach" for both versions of the trust
=> in any case, you'll just have a single domain trusting another single
domain. So no security differences with respect to the trust's "reach" (if
you had multiple domains in any of the forests, the forest trust would be
transitive and any of the domains in the forest is trusted).
however, there's one important difference between the two
trust types: the forest trust would allow you to use the Kerberos protocol,
while an external trust only allow NTLM. Kerberos is more secure protocol
(I won't list the reasons now, but there are quite a few).
Also, usability with a forest trust might be better for
your users, since a forest trust supports UPN style logon (your user doesn't
need to know which domain/forest his or her account is in). With NTLM,
you'll have to use the drop-down list for domains to logon to the correct
one...
/Guido
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wyatt, David
Sent: Montag, 27. Februar 2006 14:09
To: [email protected]
Subject: [ActiveDir] External vs Forest Trust
Scenario
You have 2 separate
Windows 2003 forests (FFL) and each forest has a single domain (Windows
2003 domain functional level).
Question
You want to create a
trust relationship. What is the difference in functionality/security
if you create an external trust between the 2 domains in each forest,
or you create a forest trust between the 2 forests?
Thanks
David
****************************************************************************
This message contains confidential information and is intended only
for the individual or entity named. If you are not the named addressee
you should not disseminate, distribute or copy this e-mail.
Please notify the sender immediately by e-mail if you have received
this e-mail by mistake and delete this e-mail from your system.
E-mail transmission cannot be guaranteed to be secure or error-free
as information could be intercepted, corrupted, lost, destroyed, arrive
late or incomplete, or contain viruses. The sender therefore does not
accept liability for any errors or omissions in the contents of this
message which arise as a result of e-mail transmission.
If verification is required please request a hard-copy version.
This message is provided for informational purposes and should not
be construed as an invitation or offer to buy or sell any securities or
related financial instruments.
GAM operates in many jurisdictions and is
regulated or licensed in those jurisdictions as required.
****************************************************************************
