none
Design/Authenticating questions to a a multi-forest environment

    Question

  • Dear all,

    i have only a couple of very specific questions which makes it necessary to describe the initial situation at the beginning.

    Imagine you have a company with a multi forest environment .

    There is one forest on holding level and there an additional forest on division level which is new and there are many forests on sub-division level.

    Imagine, that these three forests do have each one domain:

    a) Holding Forest:  abc.com

    b) Division Forest: 123.com

    c) Subdivision Forest: xyz.com

    The forest on holding level is also an account forest which is connected/coupled via ADFS to the cloud.

    Each employee has two AD accounts : one in the Holding forest and another one on sub-division level.

    It means: firstname.lastname@abc.com AND firstname.lastname@xyz.com

     firstname.lastname@abc.com will be synchronized to the cloud. 

    Currently, they are going to establish a transitive trust  between XYZ.com and 123.com AND there is no trust between 123.com and ABC.com.

    I hope it is conceivable how I described the initial situation.

    So the challenge is to allow the user firstname.lastname@xyz.com to log on the same device with firstname.lastname@abc.com.

    A transitive trust can be established between  123.com AND abc.com.

    So the question is if there is a transitive trust established between 123.com and abc.com on the one side AND 123.com and xyz.com on the other side,  do abc.com and xyz.com do trust themselves implicitly as well?

    Would it be possible to log on from a device in xyz.com with firstname.lastanme@abc.com? To make it happen, I learned from the link below, it is necessary to add the UPN abc.com as an additional UPN in Active Directory:

    <style type="text/css">p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 9.0px Times; color: #0000ee} span.s1 {text-decoration: underline ; font-kerning: none} </style>

    http://www.rebeladmin.com/2015/01/how-to-configure-multiple-user-principal-name-upn-suffixes/

    But this article refers only to a scenario consisting of two domains and forests. How would that work with three domains?

    But this article refers only to a scenario consisting of two domains and forests. How would that work with three domains/forests?

    The number of forests can currently not be consolidated. It is a a constraint.

    Best regards, 

    Armin 


    • Edited by biteco Thursday, February 9, 2017 4:44 PM
    Thursday, February 9, 2017 3:35 PM

All replies

  • > i have only a couple of very specific questions
     
    I might have a couple of very specific answers, but...
     
    > thanks for your help/contribution in advance.
     
    ...you did not ask any question. So I provide no answer, and I'm glad that in doing so I have answered all your questions :-)
     
    Thursday, February 9, 2017 4:01 PM
  • Hi Armin,

    >> log on from a device in xyz.com with firstname.lastanme@abc.com

    Although there are 3 forests in your questions, but the question is only related to 2 forests.

    Based on my understanding on configuring multiple UPN suffixes, it does not matter how many forests are in your environment, the trust between forests matters.

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, February 13, 2017 3:20 AM
    Moderator
  • > i have only a couple of very specific questions
     
    I might have a couple of very specific answers, but...
     
    > thanks for your help/contribution in advance.
     
    ...you did not ask any question. So I provide no answer, and I'm glad that in doing so I have answered all your questions :-)
     

    Shame on me for this post - my newsreader showed a totally different initial post... Sorry!


    Greetings/Grüße, Martin - https://mvp.microsoft.com/en-us/PublicProfile/5000017 Mal ein gutes Buch über GPOs lesen? - http://www.amazon.de/Windows-Server-2012--8-Gruppenrichtlinien/dp/3866456956 Good or bad GPOs? My blog - http://evilgpo.blogspot.com And if IT bothers me? Coke bottle design refreshment - http://sdrv.ms/14t35cq

    Monday, February 13, 2017 3:33 PM
  • >>> log on from a device in xyz.com with firstname.lastanme@abc.com
     
    This question needs more information... Obviously, after establishing a trust we cannot add the trusted domain's UPN to the trusting domain. This would break UPN suffix routing.
     
    So we have 2 users (abc.com and 123.com), and given that privileges or user rights do not prevent logon, yes due to the trust, the user fn.ln@abc.com will be able to logon to a device in xyz.com.
     
     
    Monday, February 13, 2017 3:39 PM
  • Hi,

    I am checking how the issue going, if you still have any questions, please feel free to contact us.

    And if the replies as above are helpful, we would appreciate you to mark them as answers, and if you resolve it using your own solution, please share your experience and solution here. It will be greatly helpful to others who have the same question.

    Appreciate for your feedback.

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, February 17, 2017 9:20 AM
    Moderator