none
A couple of questions about cross Forest/Realm

    Question

  • Hello


    Can someone please help me clarify the following, thanks :)

    Question 1)

    I am reading some information about trusts and one such article suggested (I say suggested as it was not 100% clear)

    if you have a Forest Trust between two Forests then the AD site name in each forest (which contain the bridgehead DCs creating the forest trust) needs the be the same. 

    In other words if Forest-A has a site called Site-A then Forest-B should also have a site called Site-A and a DC in each used to create the forest trust.  It suggest this is necessary to achieve efficient flow of traffic/queries between forests (as the traffic will go to the other servers in the other forest which are perceived to be in the same site) is this correct?

    Question 2)

    If the above is correct how does this relate non-microsoft trusts (as these do not have the concept sites, as far as I am aware).

    Question 3)

    We have a UNIX kerberos Realm which at present is separate altogether from our AD (2012 R2) realm. The UNIX realm supports the creation of PAC (privileged access certificate) within the kerberos tickets and therefore the same (or very close) to AD kerberos tickets. Therefore if the other Realm supports PACs does this mean we can create a Forest rather than a Realm trust?

    Question 4)

    When creating a trust between AD and UNIX where the AD forest is the trusting domain, is the KeyTab file created on the Unix end (e.g. in the trusted domain) 

    Thanks very much

    __AAnotherUser



    AAnotherUser__

    Wednesday, March 15, 2017 5:25 PM

Answers

  • As you said if the UNIX version supports to PAC,then AD should be allow that.But I've never try this before :-))

    So maybe you should simulate it on your lab...


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    • Marked as answer by AAnotherUser Thursday, March 16, 2017 3:30 PM
    Thursday, March 16, 2017 11:02 AM

All replies

  • if you have a Forest Trust between two Forests then the AD site name in each forest (which contain the bridgehead DCs creating the forest trust) needs the be the same. >>>>

    i think that's just a suggestion,not a requirement.So you can configure forest trust with different site names.

    We have a UNIX kerberos Realm which at present is separate altogether from our AD (2012 R2) realm. The UNIX realm supports the creation of PAC (privileged access certificate) within the kerberos tickets and therefore the same (or very close) to AD kerberos tickets. Therefore if the other Realm supports PACs does this mean we can create a Forest rather than a Realm trust? >>>

    AFAIK,ad uses PACS on configure trust with MIM.(identity management.So you should configure realm trust. The concept of domains are not unique to Windows networks. Other network operating systems include similar structures, they just call them something different. The UNIX equivalent to a domain is a realm. If a UNIX realm is designed to use Kerberos authentication, then it is possible to create a realm trust between a Windows domain and a UNIX realm. 

    is the KeyTab file created on the Unix >>>

    I think yes,you should create on UNIX;also check this

    https://support.quest.com/technical-documents/authentication-services/4.0.3/administrators-guide/8#TOPIC-78822


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Wednesday, March 15, 2017 8:18 PM
  • Thanks for taking the time to reply Burak

    When it comes to Root domain to Root domain (as it were) trusts I believe there are two types

    Forest or Realm, Realm being the normal one if your other Realm is not  Microsoft AD (e.g. UNIX), as far as I can see the reason for this is because previously Unix kerberos realms did not use PAC inside their kerberos tickets and therefore you had to do things like creating foreign security principals in the AD forest in order to map the incoming kerberos tickets too in order to give a Unix entity (e.g. user with a kerberos ticket) accees via ACL to a resource in Windows. Where as if the incoming kerbeors ticket already contains a PAC this mapping can be done my browsing t other domain and adding groups etc to  the ACL in your domain. In this sense acting much more like a traditional AD realm and therefore perhaps the trust now becomes a Forest trust as opposed to a Realm trust.

    This is the key point I would like to understand please,

    Thanks All

    __AAnotherUser 


    AAnotherUser__

    Thursday, March 16, 2017 8:22 AM
  • As you said if the UNIX version supports to PAC,then AD should be allow that.But I've never try this before :-))

    So maybe you should simulate it on your lab...


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    • Marked as answer by AAnotherUser Thursday, March 16, 2017 3:30 PM
    Thursday, March 16, 2017 11:02 AM
  • OK Thanks Burak

    I will give it a go

    Thanks

    __AAnotheruser


    AAnotherUser__

    Thursday, March 16, 2017 3:30 PM