Cross Forest Authentication
- Hi,
I hope this is posted in the correct forum...
We are in the process of 2 interforest migrations. The end result will be all User accounts in Forest C and some resources in Forest B. Both are Windows 2003 Native with a 2-way trust in place. Due to restrictions on the migration process we have had to create duplicate user accounts in Forest B and apply these to the permissions of the filestores in Forest B (and not use SidHistory). Shame, but no way aroud this...
So, when Users log onto Forest A they will then have to re-authenticate with a Forest B User account to access a share.
The question is, what is the path of authentication for these users? We have about 800 users on 2 sites that do not have any Forest B DC's local to them. There are Forest A DC's at these sites. All the Forest B DC's are on the same site as the resources (Fileshares for this example) and the sites are connected over WAN link. When these users with no local Forest B DC's authenticate to the shares, is this going to cause performance issues over WAN links etc or is all the work between the resource servers and local DC's? Do we really need to install Forest B DC's at the remote sites?
Not sure if I've explained this very well but let me know if so and I'll try another way!
Thanks!
Answers
I may not understand you proeprly, but because you will be using different user account to access the F-B resources from F-C computers, there will be only an NTLM authentication which is completelly inband to the file sharing protocol used. So once the users from F-C establish channel (SMB/CIFS TCP 445) to the F-B, they will be required to send NTLM credentials through the established channel to the F-B file server. The F-B file server will then forward the credentials for validation to its own F-B DC.
It will take about several hundrets of bytes to authenticate the users in addition to normal file sharing traffic so I wouldn't be afraid of running it.
Also there is no need to have F-B DCs local to users because they will be used only by their respective F-B file servers and never touched from the F-C computers directly.
ondrej.- Proposed As Answer byGunner999 Saturday, November 07, 2009 4:38 PM
- Marked As Answer byMervyn ZhangMSFT, ModeratorMonday, November 09, 2009 6:13 AM
I made a few assumptions about your post, but you should be able to get the general idea about authentication. Its more that just the user, workstation/server domain membership plays a big role. Also, you say "Forest" alot, so i assum Single Domain in each Forest.
User1 Member of Forest/DomainA
1) User1 logs into workstation member of Forest/DomainA
-To speed authentication here a DC from Forest/DomainA needs to be close to User1
-Why? The workstation will send the authentication request its local DC to authenticate the user. If the workstation is actually a member of Forest/DomainB, then the Forest/DomainB DC will communicate with a DC from Forest/DomainA to authenticate the user. In this case both DC's need to be local to the user.
User1 Member of Forest/DomainA
FileServer member of Forest/DomainB
2) User1 from Forest/DomainA accesses share on FileServer member of Forest/DomainB AS User1 from of Forest/DomainB.
-To speed authentication here a DC from Forest/DomainB needs to be close to FILESERVER and the Forest/DomainB\User1 login attempt.
Why? The the FileServer will authenticate Forest/DomainB\User1 with the nearest Forest/DomainB DC.- Marked As Answer byMervyn ZhangMSFT, ModeratorMonday, November 09, 2009 6:13 AM
- Proposed As Answer byGunner999 Saturday, November 07, 2009 4:38 PM
All Replies
I may not understand you proeprly, but because you will be using different user account to access the F-B resources from F-C computers, there will be only an NTLM authentication which is completelly inband to the file sharing protocol used. So once the users from F-C establish channel (SMB/CIFS TCP 445) to the F-B, they will be required to send NTLM credentials through the established channel to the F-B file server. The F-B file server will then forward the credentials for validation to its own F-B DC.
It will take about several hundrets of bytes to authenticate the users in addition to normal file sharing traffic so I wouldn't be afraid of running it.
Also there is no need to have F-B DCs local to users because they will be used only by their respective F-B file servers and never touched from the F-C computers directly.
ondrej.- Proposed As Answer byGunner999 Saturday, November 07, 2009 4:38 PM
- Marked As Answer byMervyn ZhangMSFT, ModeratorMonday, November 09, 2009 6:13 AM
I made a few assumptions about your post, but you should be able to get the general idea about authentication. Its more that just the user, workstation/server domain membership plays a big role. Also, you say "Forest" alot, so i assum Single Domain in each Forest.
User1 Member of Forest/DomainA
1) User1 logs into workstation member of Forest/DomainA
-To speed authentication here a DC from Forest/DomainA needs to be close to User1
-Why? The workstation will send the authentication request its local DC to authenticate the user. If the workstation is actually a member of Forest/DomainB, then the Forest/DomainB DC will communicate with a DC from Forest/DomainA to authenticate the user. In this case both DC's need to be local to the user.
User1 Member of Forest/DomainA
FileServer member of Forest/DomainB
2) User1 from Forest/DomainA accesses share on FileServer member of Forest/DomainB AS User1 from of Forest/DomainB.
-To speed authentication here a DC from Forest/DomainB needs to be close to FILESERVER and the Forest/DomainB\User1 login attempt.
Why? The the FileServer will authenticate Forest/DomainB\User1 with the nearest Forest/DomainB DC.- Marked As Answer byMervyn ZhangMSFT, ModeratorMonday, November 09, 2009 6:13 AM
- Proposed As Answer byGunner999 Saturday, November 07, 2009 4:38 PM
- Hi, many thanks for the reply!
