| Author | Messages | |
sslists
Posts:51
 | | 07/21/2009 4:03 AM |
| Here it goes. I have a 'resource' forest running w2k8 with a combo of
w2k3/w2k8 member servers. We have a 1-way trust to a users forest that the
resource forest trusts, the 'users' forest is w2k3 native mode. We are
locking down the w2k8 environment so only necessary communication is needed.
What I understood when people use their creds from the 'users' forest to log
into a 'resource' forest machines. the authentication path hits the
'resource' forest DC, the DC resolves a request to the 1-way trust and goes
back to the member server. Here is a odd thing.
When we had this locked down so only DC's in the resource forest could talk
to the DC's in the user forest, we could use the 'users' login creds to log
into 'resource' w2k8 machines with 'users' creds. When we tried logging
into w2k3 member servers in the 'resource' forest with 'user' creds, we
received the error "No Logon Servers are available". Once we granted w2k3
member servers access to the 'users' DC's, we could login with creds from
the 'users' forest on 'resource' member servers.
I'm trying to understand is there a change in w2k8 that allows
authentication in a 1-way trust setup like this to have 'user' DC's blocked
and all communication goes through the 'resource' DC.
We are using conditional forwarders.
Hope that makes sense.
Steve
| | | |
| scharique
Posts:0
| | 07/21/2009 5:32 PM |
| Sorry this is not an answer to you question but your design of User Forest
and Resource Forest gives me a flashback of NT/2000 days.
May I ask why you have chosen this model with 08 ? Why do you not have your
resources and users in the same domain ?
On Mon, Jul 20, 2009 at 9:57 PM, Steve Schofield <steve@iislogs.com> wrote:
> Here it goes. I have a 'resource' forest running w2k8 with a combo of
> w2k3/w2k8 member servers. We have a 1-way trust to a users forest that the
> resource forest trusts, the 'users' forest is w2k3 native mode. We are
> locking down the w2k8 environment so only necessary communication is needed.
> What I understood when people use their creds from the 'users' forest to log
> into a 'resource' forest machines. the authentication path hits the
> 'resource' forest DC, the DC resolves a request to the 1-way trust and goes
> back to the member server. Here is a odd thing.
>
> When we had this locked down so only DC's in the resource forest could talk
> to the DC's in the user forest, we could use the 'users' login creds to log
> into 'resource' w2k8 machines with 'users' creds. When we tried logging
> into w2k3 member servers in the 'resource' forest with 'user' creds, we
> received the error "No Logon Servers are available". Once we granted w2k3
> member servers access to the 'users' DC's, we could login with creds from
> the 'users' forest on 'resource' member servers.
>
> I'm trying to understand is there a change in w2k8 that allows
> authentication in a 1-way trust setup like this to have 'user' DC's blocked
> and all communication goes through the 'resource' DC.
>
> We are using conditional forwarders.
>
> Hope that makes sense.
>
> Steve
>
>
>
| | | |
| TG
Posts:298
| | 07/21/2009 5:59 PM |
| I am not sure how your 2008 boxes are doing it, but if kerberos is used
the server that you are logging in will need to talk directly to the
Domain Controllers in the other forest.
As far as differences, run wireshark on each server, trace the logon (via
rdp session or similar) and take a look, if u need help post the traces
back here.
Thank you, Tony.
Tony Gordon
Windows 2003 & 2000 MCSE, Windows 2003 MCSA, PMP
ITS Infrastructure Engineering
Tel 847.295.5000 x37892 | Fax 847.883.7892
tony dot gordon at hewitt dot tld | www.hewitt.com
P Please consider the environment before printing this e-mail.
From:
"Steve Schofield" <steve@iislogs.com>
To:
activedir@mail.activedir.org
Date:
07/20/2009 10:00 PM
Subject:
[ActiveDir] member server authentication to 1-way trust
Sent by:
activedir-owner@mail.activedir.org
Here it goes. I have a 'resource' forest running w2k8 with a combo of
w2k3/w2k8 member servers. We have a 1-way trust to a users forest that
the
resource forest trusts, the 'users' forest is w2k3 native mode. We are
locking down the w2k8 environment so only necessary communication is
needed.
What I understood when people use their creds from the 'users' forest to
log
into a 'resource' forest machines. the authentication path hits the
'resource' forest DC, the DC resolves a request to the 1-way trust and
goes
back to the member server. Here is a odd thing.
When we had this locked down so only DC's in the resource forest could
talk
to the DC's in the user forest, we could use the 'users' login creds to
log
into 'resource' w2k8 machines with 'users' creds. When we tried logging
into w2k3 member servers in the 'resource' forest with 'user' creds, we
received the error "No Logon Servers are available". Once we granted w2k3
member servers access to the 'users' DC's, we could login with creds from
the 'users' forest on 'resource' member servers.
I'm trying to understand is there a change in w2k8 that allows
authentication in a 1-way trust setup like this to have 'user' DC's
blocked
and all communication goes through the 'resource' DC.
We are using conditional forwarders.
Hope that makes sense.
Steve
The information contained in this e-mail and any accompanying documents may contain information that is confidential or otherwise protected from disclosure. If you are not the intended recipient of this message, or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message, including any attachments. Any dissemination, distribution or other use of the contents of this message by anyone other than the intended recipient is strictly prohibited. All messages sent to and from this e-mail address may be monitored as permitted by applicable law and regulations to ensure compliance with our internal policies and to protect our business. E-mails are not secure and cannot be guaranteed to be error free as they can be intercepted, amended, lost or destroyed, or contain viruses. You are deemed to have accepted these risks if you communicate with us by e-mail.
| | | |
| scharique
Posts:0
| | 07/22/2009 3:05 PM |
| Ah hah, so its not truly a forest where all your resources(servers) reside
rather its a DMZ forest where all edge resources live. I took the name
Resource Forest as in users live in one forest and servers in other.
Thanks,
On Tue, Jul 21, 2009 at 4:56 PM, Steve Schofield <steve@iislogs.com> wrote:
> Resource forest is in a DMZ and there is a one-way trust to the internal
> forest. I didn't design, it's the "way it was" 
>
> SS
>
> ----- Original Message -----
> *From:* Rick S. <getshq@gmail.com>
> *To:* activedir@mail.activedir.org
> *Sent:* Tuesday, July 21, 2009 12:30 PM
> *Subject:* Re: [ActiveDir] member server authentication to 1-way trust
>
> Sorry this is not an answer to you question but your design of User Forest
> and Resource Forest gives me a flashback of NT/2000 days.
>
> May I ask why you have chosen this model with 08 ? Why do you not have your
> resources and users in the same domain ?
>
> On Mon, Jul 20, 2009 at 9:57 PM, Steve Schofield <steve@iislogs.com>wrote:
>
>> Here it goes. I have a 'resource' forest running w2k8 with a combo of
>> w2k3/w2k8 member servers. We have a 1-way trust to a users forest that the
>> resource forest trusts, the 'users' forest is w2k3 native mode. We are
>> locking down the w2k8 environment so only necessary communication is needed.
>> What I understood when people use their creds from the 'users' forest to log
>> into a 'resource' forest machines. the authentication path hits the
>> 'resource' forest DC, the DC resolves a request to the 1-way trust and goes
>> back to the member server. Here is a odd thing.
>>
>> When we had this locked down so only DC's in the resource forest could
>> talk to the DC's in the user forest, we could use the 'users' login creds to
>> log into 'resource' w2k8 machines with 'users' creds. When we tried
>> logging into w2k3 member servers in the 'resource' forest with 'user' creds,
>> we received the error "No Logon Servers are available". Once we granted
>> w2k3 member servers access to the 'users' DC's, we could login with creds
>> from the 'users' forest on 'resource' member servers.
>>
>> I'm trying to understand is there a change in w2k8 that allows
>> authentication in a 1-way trust setup like this to have 'user' DC's blocked
>> and all communication goes through the 'resource' DC.
>>
>> We are using conditional forwarders.
>>
>> Hope that makes sense.
>>
>> Steve
>>
>>
>>
> ------------------------------
>
>
> No virus found in this incoming message.
> Checked by AVG - www.avg.com
> Version: 8.5.392 / Virus Database: 270.13.21/2252 - Release Date: 07/21/09
> 05:58:00
>
>
| | | |
| sslists
Posts:51
| | 07/23/2009 5:32 AM |
| Yeah. Maybe I used the wrong terms. The DMZ forest has all the servers and users live internally. I don't mind cause I like to deal on the edge and leave the corporate user management to others.
SS
----- Original Message -----
From: Rick S.
To: activedir@mail.activedir.org
Sent: Wednesday, July 22, 2009 10:03 AM
Subject: Re: [ActiveDir] member server authentication to 1-way trust
Ah hah, so its not truly a forest where all your resources(servers) reside rather its a DMZ forest where all edge resources live. I took the name Resource Forest as in users live in one forest and servers in other.
Thanks,
On Tue, Jul 21, 2009 at 4:56 PM, Steve Schofield <steve@iislogs.com> wrote:
Resource forest is in a DMZ and there is a one-way trust to the internal forest. I didn't design, it's the "way it was"
SS
----- Original Message -----
From: Rick S.
To: activedir@mail.activedir.org
Sent: Tuesday, July 21, 2009 12:30 PM
Subject: Re: [ActiveDir] member server authentication to 1-way trust
Sorry this is not an answer to you question but your design of User Forest and Resource Forest gives me a flashback of NT/2000 days.
May I ask why you have chosen this model with 08 ? Why do you not have your resources and users in the same domain ?
On Mon, Jul 20, 2009 at 9:57 PM, Steve Schofield <steve@iislogs.com> wrote:
Here it goes. I have a 'resource' forest running w2k8 with a combo of w2k3/w2k8 member servers. We have a 1-way trust to a users forest that the resource forest trusts, the 'users' forest is w2k3 native mode. We are locking down the w2k8 environment so only necessary communication is needed. What I understood when people use their creds from the 'users' forest to log into a 'resource' forest machines. the authentication path hits the 'resource' forest DC, the DC resolves a request to the 1-way trust and goes back to the member server. Here is a odd thing.
When we had this locked down so only DC's in the resource forest could talk to the DC's in the user forest, we could use the 'users' login creds to log into 'resource' w2k8 machines with 'users' creds. When we tried logging into w2k3 member servers in the 'resource' forest with 'user' creds, we received the error "No Logon Servers are available". Once we granted w2k3 member servers access to the 'users' DC's, we could login with creds from the 'users' forest on 'resource' member servers.
I'm trying to understand is there a change in w2k8 that allows authentication in a 1-way trust setup like this to have 'user' DC's blocked and all communication goes through the 'resource' DC.
We are using conditional forwarders.
Hope that makes sense.
Steve
--------------------------------------------------------------------------
No virus found in this incoming message.
Checked by AVG - www.avg.com
Version: 8.5.392 / Virus Database: 270.13.21/2252 - Release Date: 07/21/09 05:58:00
------------------------------------------------------------------------------
No virus found in this incoming message.
Checked by AVG - www.avg.com
Version: 8.5.392 / Virus Database: 270.13.23/2254 - Release Date: 07/22/09 05:59:00
| | | |
| barkills
Posts:201
| | 07/23/2009 5:03 PM |
| I'm not sure why it matters that you have a user forest/resource forest model.
I'd disagree with any sentiment which held that:
a) you can only arrive at such a model by choice/design
b) there aren't many good reasons to have such a model
With respect to both sentiments, many organizations evolve their technology implementations over time. One implementation might have rules which restrict some desired use, and so another implementation is brought up. Politics and local control are frequently drivers for this kind of thing. Other common drivers include lack of a single IT authority (as is overwhelmingly common in Higher Education environments), and fear/lack of delegation features around shared use of Microsoft applications which have a domain or forest boundary.
We've got a user forest/resource forest model here. Go ahead and throw stones at me. In fact, we've got a user forest with 30+ resource forests here. And a multi-domain forest that at one point had 42 domains in it, and now has a dozen. And probably 40+ single-domain forests unto themselves.
Of course, I'm pushing things toward a single-domain, single forest model, 'cuz I believe that's for the best, but I don't believe we'll ever fully get there. For one thing, collapsing domains is costly--even if you know what you are doing. For another, convincing the various stakeholders involved to let go of some control is hard and sometimes impossible. And then there's the additional overhead of processes that need to change, such as not being able to rely on domain users to mean just your department any longer. And of figuring out how to delegate control for AD and all the other MS applications with very little in the way of good delegation documentation to go on. And there's an increased chance of naming collisions which means you've got to get folks to agree to naming policies. And so on.
And perhaps that's the point of my post. What's good in theory is one thing, and what happens in the real world is another. We can guide folks toward an ideal, but the reality is that in many situations it is very hard to get anywhere near that ideal.
So Steve, I'm right there with you.
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Steve Schofield
Sent: Wednesday, July 22, 2009 9:28 PM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] member server authentication to 1-way trust
Yeah. Maybe I used the wrong terms. The DMZ forest has all the servers and users live internally. I don't mind cause I like to deal on the edge and leave the corporate user management to others.
SS
----- Original Message -----
From: Rick S.<mailto:getshq@gmail.com>
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Sent: Wednesday, July 22, 2009 10:03 AM
Subject: Re: [ActiveDir] member server authentication to 1-way trust
Ah hah, so its not truly a forest where all your resources(servers) reside rather its a DMZ forest where all edge resources live. I took the name Resource Forest as in users live in one forest and servers in other.
Thanks,
On Tue, Jul 21, 2009 at 4:56 PM, Steve Schofield <steve@iislogs.com<mailto:steve@iislogs.com>> wrote:
Resource forest is in a DMZ and there is a one-way trust to the internal forest. I didn't design, it's the "way it was"
SS
----- Original Message -----
From: Rick S.<mailto:getshq@gmail.com>
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Sent: Tuesday, July 21, 2009 12:30 PM
Subject: Re: [ActiveDir] member server authentication to 1-way trust
Sorry this is not an answer to you question but your design of User Forest and Resource Forest gives me a flashback of NT/2000 days.
May I ask why you have chosen this model with 08 ? Why do you not have your resources and users in the same domain ?
On Mon, Jul 20, 2009 at 9:57 PM, Steve Schofield <steve@iislogs.com<mailto:steve@iislogs.com>> wrote:
Here it goes. I have a 'resource' forest running w2k8 with a combo of w2k3/w2k8 member servers. We have a 1-way trust to a users forest that the resource forest trusts, the 'users' forest is w2k3 native mode. We are locking down the w2k8 environment so only necessary communication is needed. What I understood when people use their creds from the 'users' forest to log into a 'resource' forest machines. the authentication path hits the 'resource' forest DC, the DC resolves a request to the 1-way trust and goes back to the member server. Here is a odd thing.
When we had this locked down so only DC's in the resource forest could talk to the DC's in the user forest, we could use the 'users' login creds to log into 'resource' w2k8 machines with 'users' creds. When we tried logging into w2k3 member servers in the 'resource' forest with 'user' creds, we received the error "No Logon Servers are available". Once we granted w2k3 member servers access to the 'users' DC's, we could login with creds from the 'users' forest on 'resource' member servers.
I'm trying to understand is there a change in w2k8 that allows authentication in a 1-way trust setup like this to have 'user' DC's blocked and all communication goes through the 'resource' DC.
We are using conditional forwarders.
Hope that makes sense.
Steve
________________________________
No virus found in this incoming message.
Checked by AVG - www.avg.com<http://www.avg.com>
Version: 8.5.392 / Virus Database: 270.13.21/2252 - Release Date: 07/21/09 05:58:00
________________________________
No virus found in this incoming message.
Checked by AVG - www.avg.com
Version: 8.5.392 / Virus Database: 270.13.23/2254 - Release Date: 07/22/09 05:59:00
| | | |
| scharique
Posts:0
| | 07/23/2009 10:58 PM |
| Brian, You are right it is absolutely unrelated to Steve's question as I had
offered my apologies prior to wondering about his AD model.
Yet I am confused with your response. You make a case, put forth points and
convince one that one model should not fit all vis-a-vis single domain model
would not fit your case but then you say you are moving things toward
single-domain because you think its the best. If your existing model is
pain-free then why move and consolidate ?
On Thu, Jul 23, 2009 at 11:02 AM, Brian Arkills <barkills@washington.edu>wrote:
> I'm not sure why it matters that you have a user forest/resource forest
> model.
>
>
>
> I'd disagree with any sentiment which held that:
>
> a) you can only arrive at such a model by choice/design
>
> b) there aren't many good reasons to have such a model
>
>
>
> With respect to both sentiments, many organizations evolve their technology
> implementations over time. One implementation might have rules which
> restrict some desired use, and so another implementation is brought up.
> Politics and local control are frequently drivers for this kind of thing.
> Other common drivers include lack of a single IT authority (as is
> overwhelmingly common in Higher Education environments), and fear/lack of
> delegation features around shared use of Microsoft applications which have a
> domain or forest boundary.
>
>
>
> We've got a user forest/resource forest model here. Go ahead and throw
> stones at me. In fact, we've got a user forest with 30+ resource forests
> here. And a multi-domain forest that at one point had 42 domains in it, and
> now has a dozen. And probably 40+ single-domain forests unto themselves.
>
>
>
> Of course, I'm pushing things toward a single-domain, single forest model,
> 'cuz I believe that's for the best, but I don't believe we'll ever fully get
> there. For one thing, collapsing domains is costly--even if you know what
> you are doing. For another, convincing the various stakeholders involved to
> let go of some control is hard and sometimes impossible. And then there's
> the additional overhead of processes that need to change, such as not being
> able to rely on domain users to mean just your department any longer. And of
> figuring out how to delegate control for AD and all the other MS
> applications with very little in the way of good delegation documentation to
> go on. And there's an increased chance of naming collisions which means
> you've got to get folks to agree to naming policies. And so on.
>
>
>
> And perhaps that's the point of my post. What's good in theory is one
> thing, and what happens in the real world is another. We can guide folks
> toward an ideal, but the reality is that in many situations it is very hard
> to get anywhere near that ideal.
>
>
>
> So Steve, I'm right there with you.
>
>
>
> *From:* activedir-owner@mail.activedir.org [mailto:
> activedir-owner@mail.activedir.org] *On Behalf Of *Steve Schofield
> *Sent:* Wednesday, July 22, 2009 9:28 PM
> *To:* activedir@mail.activedir.org
> *Subject:* Re: [ActiveDir] member server authentication to 1-way trust
>
>
>
> Yeah. Maybe I used the wrong terms. The DMZ forest has all the servers
> and users live internally. I don't mind cause I like to deal on the edge
> and leave the corporate user management to others.
>
>
>
> SS
>
>
>
> ----- Original Message -----
>
> *From:* Rick S. <getshq@gmail.com>
>
> *To:* activedir@mail.activedir.org
>
> *Sent:* Wednesday, July 22, 2009 10:03 AM
>
> *Subject:* Re: [ActiveDir] member server authentication to 1-way trust
>
>
>
> Ah hah, so its not truly a forest where all your resources(servers) reside
> rather its a DMZ forest where all edge resources live. I took the name
> Resource Forest as in users live in one forest and servers in other.
>
> Thanks,
>
> On Tue, Jul 21, 2009 at 4:56 PM, Steve Schofield <steve@iislogs.com>
> wrote:
>
> Resource forest is in a DMZ and there is a one-way trust to the internal
> forest. I didn't design, it's the "way it was"
>
>
>
> SS
>
> ----- Original Message -----
>
> *From:* Rick S. <getshq@gmail.com>
>
> *To:* activedir@mail.activedir.org
>
> *Sent:* Tuesday, July 21, 2009 12:30 PM
>
> *Subject:* Re: [ActiveDir] member server authentication to 1-way trust
>
>
>
> Sorry this is not an answer to you question but your design of User Forest
> and Resource Forest gives me a flashback of NT/2000 days.
>
> May I ask why you have chosen this model with 08 ? Why do you not have your
> resources and users in the same domain ?
>
> On Mon, Jul 20, 2009 at 9:57 PM, Steve Schofield <steve@iislogs.com>
> wrote:
>
> Here it goes. I have a 'resource' forest running w2k8 with a combo of
> w2k3/w2k8 member servers. We have a 1-way trust to a users forest that the
> resource forest trusts, the 'users' forest is w2k3 native mode. We are
> locking down the w2k8 environment so only necessary communication is needed.
> What I understood when people use their creds from the 'users' forest to log
> into a 'resource' forest machines. the authentication path hits the
> 'resource' forest DC, the DC resolves a request to the 1-way trust and goes
> back to the member server. Here is a odd thing.
>
> When we had this locked down so only DC's in the resource forest could talk
> to the DC's in the user forest, we could use the 'users' login creds to log
> into 'resource' w2k8 machines with 'users' creds. When we tried logging
> into w2k3 member servers in the 'resource' forest with 'user' creds, we
> received the error "No Logon Servers are available". Once we granted w2k3
> member servers access to the 'users' DC's, we could login with creds from
> the 'users' forest on 'resource' member servers.
>
> I'm trying to understand is there a change in w2k8 that allows
> authentication in a 1-way trust setup like this to have 'user' DC's blocked
> and all communication goes through the 'resource' DC.
>
> We are using conditional forwarders.
>
> Hope that makes sense.
>
> Steve
>
>
> ------------------------------
>
>
> No virus found in this incoming message.
> Checked by AVG - www.avg.com
> Version: 8.5.392 / Virus Database: 270.13.21/2252 - Release Date: 07/21/09
> 05:58:00
>
>
> ------------------------------
>
>
> No virus found in this incoming message.
> Checked by AVG - www.avg.com
> Version: 8.5.392 / Virus Database: 270.13.23/2254 - Release Date: 07/22/09
> 05:59:00
>
>
| | | |
| lovesouthafrica
Posts:75
| | 07/29/2009 4:15 PM |
| I've seen a fair number of these as legacy implementations of multidomain models from NT 4 days that then got migrated to W2K and have resisted being changed for reasons including the ones that Brian mentioned.
Disclaimer: The content of this e-mail is intended solely for the use of the Individual or entity to whom it is addressed. If you have received this communication in error, be aware that forwarding it, copying it, or in any way disclosing its content to any other person, is strictly prohibited. If you have received this communication in error, please notify the author by replying to this e-mail immediately.
Signature generated by Symprex Mail Signature Manager.
This message is only added when in evaluation mode.
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Rick S.
Sent: 23 July 2009 22:58
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] member server authentication to 1-way trust
Brian, You are right it is absolutely unrelated to Steve's question as I had offered my apologies prior to wondering about his AD model.
Yet I am confused with your response. You make a case, put forth points and convince one that one model should not fit all vis-a-vis single domain model would not fit your case but then you say you are moving things toward single-domain because you think its the best. If your existing model is pain-free then why move and consolidate ?
On Thu, Jul 23, 2009 at 11:02 AM, Brian Arkills <barkills@washington.edu<mailto:barkills@washington.edu>> wrote:
I'm not sure why it matters that you have a user forest/resource forest model.
I'd disagree with any sentiment which held that:
a) you can only arrive at such a model by choice/design
b) there aren't many good reasons to have such a model
With respect to both sentiments, many organizations evolve their technology implementations over time. One implementation might have rules which restrict some desired use, and so another implementation is brought up. Politics and local control are frequently drivers for this kind of thing. Other common drivers include lack of a single IT authority (as is overwhelmingly common in Higher Education environments), and fear/lack of delegation features around shared use of Microsoft applications which have a domain or forest boundary.
We've got a user forest/resource forest model here. Go ahead and throw stones at me. In fact, we've got a user forest with 30+ resource forests here. And a multi-domain forest that at one point had 42 domains in it, and now has a dozen. And probably 40+ single-domain forests unto themselves.
Of course, I'm pushing things toward a single-domain, single forest model, 'cuz I believe that's for the best, but I don't believe we'll ever fully get there. For one thing, collapsing domains is costly--even if you know what you are doing. For another, convincing the various stakeholders involved to let go of some control is hard and sometimes impossible. And then there's the additional overhead of processes that need to change, such as not being able to rely on domain users to mean just your department any longer. And of figuring out how to delegate control for AD and all the other MS applications with very little in the way of good delegation documentation to go on. And there's an increased chance of naming collisions which means you've got to get folks to agree to naming policies. And so on.
And perhaps that's the point of my post. What's good in theory is one thing, and what happens in the real world is another. We can guide folks toward an ideal, but the reality is that in many situations it is very hard to get anywhere near that ideal.
So Steve, I'm right there with you.
From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Steve Schofield
Sent: Wednesday, July 22, 2009 9:28 PM
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Subject: Re: [ActiveDir] member server authentication to 1-way trust
Yeah. Maybe I used the wrong terms. The DMZ forest has all the servers and users live internally. I don't mind cause I like to deal on the edge and leave the corporate user management to others.
SS
----- Original Message -----
From: Rick S.<mailto:getshq@gmail.com>
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Sent: Wednesday, July 22, 2009 10:03 AM
Subject: Re: [ActiveDir] member server authentication to 1-way trust
Ah hah, so its not truly a forest where all your resources(servers) reside rather its a DMZ forest where all edge resources live. I took the name Resource Forest as in users live in one forest and servers in other.
Thanks,
On Tue, Jul 21, 2009 at 4:56 PM, Steve Schofield <steve@iislogs.com<mailto:steve@iislogs.com>> wrote:
Resource forest is in a DMZ and there is a one-way trust to the internal forest. I didn't design, it's the "way it was"
SS
----- Original Message -----
From: Rick S.<mailto:getshq@gmail.com>
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Sent: Tuesday, July 21, 2009 12:30 PM
Subject: Re: [ActiveDir] member server authentication to 1-way trust
Sorry this is not an answer to you question but your design of User Forest and Resource Forest gives me a flashback of NT/2000 days.
May I ask why you have chosen this model with 08 ? Why do you not have your resources and users in the same domain ?
On Mon, Jul 20, 2009 at 9:57 PM, Steve Schofield <steve@iislogs.com<mailto:steve@iislogs.com>> wrote:
Here it goes. I have a 'resource' forest running w2k8 with a combo of w2k3/w2k8 member servers. We have a 1-way trust to a users forest that the resource forest trusts, the 'users' forest is w2k3 native mode. We are locking down the w2k8 environment so only necessary communication is needed. What I understood when people use their creds from the 'users' forest to log into a 'resource' forest machines. the authentication path hits the 'resource' forest DC, the DC resolves a request to the 1-way trust and goes back to the member server. Here is a odd thing.
When we had this locked down so only DC's in the resource forest could talk to the DC's in the user forest, we could use the 'users' login creds to log into 'resource' w2k8 machines with 'users' creds. When we tried logging into w2k3 member servers in the 'resource' forest with 'user' creds, we received the error "No Logon Servers are available". Once we granted w2k3 member servers access to the 'users' DC's, we could login with creds from the 'users' forest on 'resource' member servers.
I'm trying to understand is there a change in w2k8 that allows authentication in a 1-way trust setup like this to have 'user' DC's blocked and all communication goes through the 'resource' DC.
We are using conditional forwarders.
Hope that makes sense.
Steve
________________________________
No virus found in this incoming message.
Checked by AVG - www.avg.com<http://www.avg.com>
Version: 8.5.392 / Virus Database: 270.13.21/2252 - Release Date: 07/21/09 05:58:00
________________________________
No virus found in this incoming message.
Checked by AVG - www.avg.com<http://www.avg.com>
Version: 8.5.392 / Virus Database: 270.13.23/2254 - Release Date: 07/22/09 05:59:00
| | | |
| gabriel/tfi
Posts:425
| | 09/17/2009 11:19 PM |
| The World of Ideas vs. The World of Sensible Things
. J - Gabriele.
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Brian Arkills
Sent: giovedì 23 luglio 2009 6:02
To: 'activedir@mail.activedir.org'
Subject: RE: [ActiveDir] member server authentication to 1-way trust
I'm not sure why it matters that you have a user forest/resource forest
model.
I'd disagree with any sentiment which held that:
a) you can only arrive at such a model by choice/design
b) there aren't many good reasons to have such a model
With respect to both sentiments, many organizations evolve their technology
implementations over time. One implementation might have rules which
restrict some desired use, and so another implementation is brought up.
Politics and local control are frequently drivers for this kind of thing.
Other common drivers include lack of a single IT authority (as is
overwhelmingly common in Higher Education environments), and fear/lack of
delegation features around shared use of Microsoft applications which have a
domain or forest boundary.
We've got a user forest/resource forest model here. Go ahead and throw
stones at me. In fact, we've got a user forest with 30+ resource forests
here. And a multi-domain forest that at one point had 42 domains in it, and
now has a dozen. And probably 40+ single-domain forests unto themselves.
Of course, I'm pushing things toward a single-domain, single forest model,
'cuz I believe that's for the best, but I don't believe we'll ever fully get
there. For one thing, collapsing domains is costly--even if you know what
you are doing. For another, convincing the various stakeholders involved to
let go of some control is hard and sometimes impossible. And then there's
the additional overhead of processes that need to change, such as not being
able to rely on domain users to mean just your department any longer. And of
figuring out how to delegate control for AD and all the other MS
applications with very little in the way of good delegation documentation to
go on. And there's an increased chance of naming collisions which means
you've got to get folks to agree to naming policies. And so on.
And perhaps that's the point of my post. What's good in theory is one thing,
and what happens in the real world is another. We can guide folks toward an
ideal, but the reality is that in many situations it is very hard to get
anywhere near that ideal.
So Steve, I'm right there with you.
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Steve Schofield
Sent: Wednesday, July 22, 2009 9:28 PM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] member server authentication to 1-way trust
Yeah. Maybe I used the wrong terms. The DMZ forest has all the servers and
users live internally. I don't mind cause I like to deal on the edge and
leave the corporate user management to others.
SS
----- Original Message -----
From: Rick S. <mailto:getshq@gmail.com>
To: activedir@mail.activedir.org
Sent: Wednesday, July 22, 2009 10:03 AM
Subject: Re: [ActiveDir] member server authentication to 1-way trust
Ah hah, so its not truly a forest where all your resources(servers) reside
rather its a DMZ forest where all edge resources live. I took the name
Resource Forest as in users live in one forest and servers in other.
Thanks,
On Tue, Jul 21, 2009 at 4:56 PM, Steve Schofield <steve@iislogs.com> wrote:
Resource forest is in a DMZ and there is a one-way trust to the internal
forest. I didn't design, it's the "way it was"
SS
----- Original Message -----
From: Rick S. <mailto:getshq@gmail.com>
To: activedir@mail.activedir.org
Sent: Tuesday, July 21, 2009 12:30 PM
Subject: Re: [ActiveDir] member server authentication to 1-way trust
Sorry this is not an answer to you question but your design of User Forest
and Resource Forest gives me a flashback of NT/2000 days.
May I ask why you have chosen this model with 08 ? Why do you not have your
resources and users in the same domain ?
On Mon, Jul 20, 2009 at 9:57 PM, Steve Schofield <steve@iislogs.com> wrote:
Here it goes. I have a 'resource' forest running w2k8 with a combo of
w2k3/w2k8 member servers. We have a 1-way trust to a users forest that the
resource forest trusts, the 'users' forest is w2k3 native mode. We are
locking down the w2k8 environment so only necessary communication is needed.
What I understood when people use their creds from the 'users' forest to log
into a 'resource' forest machines. the authentication path hits the
'resource' forest DC, the DC resolves a request to the 1-way trust and goes
back to the member server. Here is a odd thing.
When we had this locked down so only DC's in the resource forest could talk
to the DC's in the user forest, we could use the 'users' login creds to log
into 'resource' w2k8 machines with 'users' creds. When we tried logging
into w2k3 member servers in the 'resource' forest with 'user' creds, we
received the error "No Logon Servers are available". Once we granted w2k3
member servers access to the 'users' DC's, we could login with creds from
the 'users' forest on 'resource' member servers.
I'm trying to understand is there a change in w2k8 that allows
authentication in a 1-way trust setup like this to have 'user' DC's blocked
and all communication goes through the 'resource' DC.
We are using conditional forwarders.
Hope that makes sense.
Steve
_____
No virus found in this incoming message.
Checked by AVG - www.avg.com
Version: 8.5.392 / Virus Database: 270.13.21/2252 - Release Date: 07/21/09
05:58:00
_____
No virus found in this incoming message.
Checked by AVG - www.avg.com
Version: 8.5.392 / Virus Database: 270.13.23/2254 - Release Date: 07/22/09
05:59:00
| | | |
|
|