Domain – Single forest with multiple domains – authentication

active-directoryauthenticationdomaindomain-controller

I have a single forest and a 2 domains in it.

Remote sites have a mix of users from both domains.

All of my domain controller are global catalogs and trusts are set up.

Do I need to have domain controller for both domains on each remote site to authenticate users, or can a single global catalog server that is in one domain authenticate users in the other domain?

I'm trying to avoid WAN traffic if possible and avoid having multiple domain controllers at each site.

Best Answer

Do I need to have domain controller for both domains on each remote site to authenticate users, or can a single global catalog server that is in one domain authenticate users in the other domain?

A DC in another domain, whether a GC or not, cannot authenticate users from another domain, whether trusted or not.

So no, you won't be able to have a single DC for domain "BOB" and be able to authenticate users from domain "MARY" via that GC DC. The DC in "BOB" will have to pass MARY\joe off to a DC in MARY domain for actual authentication. So if you don't want to traverse the WAN link back to a DC in MARY domain, you'll need 1 DC for BOB domain and 1 DC for MARY domain at each location.

But auth traffic for a user across a WAN is actually pretty miniscule overall. If your links aren't saturated or prone to going down you're likely just fine traversing the WAN.

More info: How Domain and Forest Trusts Work

Kerberos V5 Referral Processing

If the client uses Kerberos V5 for authentication, it requests a ticket to the server in the target domain from a domain controller in its account domain. The Kerberos Key Distribution Center (KDC) acts as a trusted intermediary between the client and server; it provides a session key that enables the two parties to authenticate each other. If the target domain is different from the current domain, the KDC follows a logical process to determine whether an authentication request can be referred:
Is the current domain trusted directly by the domain of the server that is being requested?

    If yes, send the client a referral to the requested domain.

    If no, go to the next step.

Does a transitive trust relationship exist between the current domain and the next domain on the trust path?

    If yes, send the client a referral to the next domain on the trust path.

    If no, send the client a logon-denied message.

Best Answer

Related Solutions

Child Domain Migration to Parent Domain

Active Directory DNS Naming – Design for Multiple Sites, Single Domain

Related Topic