none
2012 r2 Forest Level trusts, one way, transitive, multiple Forest.

    Question

  • We are attempting to establish a multi forest "directional trust that goes one way and transitive. So Forest A is trusted by Forest B and Forest B is trusted by Forest C. So when I test with credentials from forest A to B it is good, A to C is not. Forest B to C credentials work. So it does not look like the credentials are fully transitive. The idea was it to work like this: C trust B and B trusts A. Is a Forest trust only good for 1 "level"? or another possible issue? Thank you in advance for your help. All Forests are 2012 r2.
    • Edited by dprefa Monday, April 17, 2017 10:20 PM
    Monday, April 17, 2017 9:36 PM

Answers

  • Transitivity is a bit different of what you think.

    Here is how it works

    Suppose the following example...

    You have 3 forests: Forest-A, Forest-B and Forest-C

    Forest-A has a 2-way transitive trust with Forest-B and Forest-B has a two-way transitive trust with Forest-C

    This mean that:

    - Users in Forest-A can access resources in Fores-B (and vice-versa)

    - Users in Forest-B can access resources in Fores-C (and vice-versa)

    Transitivity is for domains under the forest.  So all domains under:

    - Forest-A can access resources in Fores-B (and vice-versa)

    - Forest-B can access resources in Forest-C (and vice-versa)

    If you want to allow users (or other child domain) in Forest-A to access resources in Forest-C, you must create a trust between Forest-A and Forest-C

    You can have more information here...

    https://technet.microsoft.com/en-us/library/cc773178(v=ws.10).aspx

    hth


    This posting is provided AS IS without warranty of any kind

    • Marked as answer by dprefa Tuesday, April 18, 2017 4:28 PM
    Monday, April 17, 2017 10:53 PM

All replies

  • Transitivity is a bit different of what you think.

    Here is how it works

    Suppose the following example...

    You have 3 forests: Forest-A, Forest-B and Forest-C

    Forest-A has a 2-way transitive trust with Forest-B and Forest-B has a two-way transitive trust with Forest-C

    This mean that:

    - Users in Forest-A can access resources in Fores-B (and vice-versa)

    - Users in Forest-B can access resources in Fores-C (and vice-versa)

    Transitivity is for domains under the forest.  So all domains under:

    - Forest-A can access resources in Fores-B (and vice-versa)

    - Forest-B can access resources in Forest-C (and vice-versa)

    If you want to allow users (or other child domain) in Forest-A to access resources in Forest-C, you must create a trust between Forest-A and Forest-C

    You can have more information here...

    https://technet.microsoft.com/en-us/library/cc773178(v=ws.10).aspx

    hth


    This posting is provided AS IS without warranty of any kind

    • Marked as answer by dprefa Tuesday, April 18, 2017 4:28 PM
    Monday, April 17, 2017 10:53 PM
  • Hi

     As mentioned you should configure trust between each forests,like,

    A>B

    B>C

    A>C


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Tuesday, April 18, 2017 9:27 AM
  • Cthivierge, Thank you for the quick response. I did read the article and this was helpful in confirming forest level are 1 to1 relationship and this will help in my efforts going forward. I thought this might be the case since all example are for Forests were reflected that way and child domains below them. Thank you again!
    Tuesday, April 18, 2017 4:28 PM
  • Thank you for confirmation.
    Tuesday, April 18, 2017 4:29 PM