none
AD consolidation and authentication RRS feed

  • Question

  • Hello,

    I have Single forest multiple domain AD infrastructure. I am consolidating all domains into one and have a question about authentication process.

    I have a site A with users and DC's belongs to child.parent.com domain. All my parent.com domain DC's are in site B. If i migrate all my users from child.parent.com domain to Parent.com domain, how does the user authentication from Site A works till i promote a parent DC in in site A?. I have couple of domains to migrate and i plan to introduce parent DC in site A only after some time.  Since the users in site A (after the migration) belongs to Parent.com domain, will they travel all the way across WAN to get authenticated from Site B (Which has parent DC's)? Consider that all site entries still points to old child.parent domain.

    Or is it like  users will first contact the old DC's (child.parent.com) and those DC's will contact the parent DC's  and get the authentication since they have 2 way parent child trust?... .. My ad fundas are confused?

     

    Thursday, June 4, 2015 7:55 AM

Answers

  • Hi AD-guy,

    The logon requests for your migrated users in Site A will traverse the WAN and be served by domain controllers for the forest root domain in Site B unless you have a domain controller for the root domain in Site A.

    Have a read of this TechNet global catalog placement article as it provides pointers for other important considerations such as application performance (the relationship Outlook has with the global catalog function would be one of the more common examples of this; universal group memberships might be another).

    Cheers,
    Lain

    Thursday, June 4, 2015 8:59 AM
  • It's the domain controllers for parent domain (in site A) that will handle authentication of users moved from child. child domain controllers (site B) will be contacted when users try to access resources that reside in child domain.

    Gleb.

    Thursday, June 4, 2015 9:04 AM

All replies

  • Hi AD-guy,

    The logon requests for your migrated users in Site A will traverse the WAN and be served by domain controllers for the forest root domain in Site B unless you have a domain controller for the root domain in Site A.

    Have a read of this TechNet global catalog placement article as it provides pointers for other important considerations such as application performance (the relationship Outlook has with the global catalog function would be one of the more common examples of this; universal group memberships might be another).

    Cheers,
    Lain

    Thursday, June 4, 2015 8:59 AM
  • It's the domain controllers for parent domain (in site A) that will handle authentication of users moved from child. child domain controllers (site B) will be contacted when users try to access resources that reside in child domain.

    Gleb.

    Thursday, June 4, 2015 9:04 AM