I have 3 full trust domains (2 child and one root). I need to use LDAP to allow authntication for domain users. The trick is that I need the application to use an AD server for the child domain BUT proxy the LDAP query and authentication for the root domain. I see that it maty be possible with AD LDS and some trusts and synching, but it looks pretty hairy and overly complicated.
The short of it is:
- 3 domains (Parent, ChildA, ChildB)
- My 3rd party app will need to use ChildA domain servers to authenticate either:
a. a user in the parent domain or
b. a user in the ChildB domain - I already have full trusts between all domains, and regular NTLM authentication works fine (unless you are trying to authenticate with LDAP)
Best Answer
Well, this link may explain it: http://blogs.msdn.com/anthonw/archive/2006/08/02/686041.aspx
Basically, the connecting computer (workstation) needs to be able to see the AD DC server on all the domains it plans to connect to; but the connected computer (server) does not need to be able to see the other AD DC server for the computers which connect to it.
So in practice, it may require you to think of where users (or applications) are connecting from and make those domains on a "higher privilege" to see those DC servers.
However, if you use ONLY NTLM type authentication, then only the DCs need to see each other and authentication will work fine. Though to my knowledge, LDAP queries should suffice if it connects to a Global Catalog server.