Trust traffic flow

  • 205 Views
  • Last Post 10 May 2016
Techman06 posted this 09 May 2016

All,
I need another brain check...
We have several two-way transitive trusts between forests.  There is a need for users in Trust B to login in at a site defined in Trust A and right now this process takes a long time. If we place a domain controller from Trust B at the remote site as defined in Trust A, will it aid in logins and authentications for the Trust B users?  Does the Trust B domain controller need to be in the same site subnet as the DC from the site in Trust A?  What DNS considerations should we look for?  
There have been concerns from some that all trust traffic flows between the PDC's, which I do not believe to be true, but I have been wrong before. 
Thanks, in advance, for your input!
Gary G. Gray
g3@xxxxxxxxxxxxxxxx
Forum info: http://www.activedir.org Problems unsubscribing? Email admin@xxxxxxxxxxxxxxxx

Order By: Standard | Newest | Votes
Techman06 posted this 10 May 2016

Thanks.  Makes perfect sense and was largely what I was thinking.  What I did not realize was that both Sites and Services need to be identical for the sites affected.  That fact alone would have caused many hours of troubleshooting had we missed it.

Many thanks for taking the time to respond.

ZJORZ posted this 09 May 2016

Between AD forest the optimization is achieved when both forests have the same AD site names. The reason for this is that the AD client will request a DC from the user domain but for the same AD site as the client. If that AD site exists in the user domain, then the DCs in that AD site will be used.If the AD site does not exist, the AD client will contact any DC in the user domain that has registered the domain SRV-records (by default that’s all DCs, therefore this must be tweaked, especially in a hub and spoke environment!). The responding DC will then try to match the IP address of the AD client to one of the AD subnets in the user domain. If an AD subnet exists and it is linked to an AD site, the AD client will be assigned that AD site in the user domain to request a DC from it. If that also fails, then any DC that has registered the domain SRV-records (by default that’s all DCs, therefore this must be tweaked, especially in a hub and spoke environment!) will service the AD client to authenticate the user. In that case the AD site in the user domains for the AD client is NULL, and that means authentication is not optimal, and in worst case it will be very bad. The same will also apply when accessing a random referral which can be even worse. What to do:·         Make sure AD site names are the same between AD forest ß best optimization

show

Close