djhawthorn
Technical User
Hello,
I have a complex AD environment involving many domains/forests and firewalls everywhere.
For sake of this question, lets say I have 20 DC's in one forest and 10 in the other, and have a two-way forest trust between them. All DC's are behind different firewalls so without rules in place, no single DC can talk to another.
Question - which DC's need to talk to enable the trust to function?
I understand that for authentication it is the client that will talk to the DC/GC in the local forest before being redirected to talk directly to the DC/GC in the foreign forest, before it can access foreign resources - but for this client-to-DC authentication to work do I only need a single (e.g. the PDC-E) DC in both forests to be able to establish and maintain the trust, or does the DC's the client is talking to for authentication (client-to-DC flows), also need to talk to eachother (DC-to-DC) to enable that trust to work for the client?
Appreciate guidance as I can never find anything definitive on this question.
Thanks in advance.
I have a complex AD environment involving many domains/forests and firewalls everywhere.
For sake of this question, lets say I have 20 DC's in one forest and 10 in the other, and have a two-way forest trust between them. All DC's are behind different firewalls so without rules in place, no single DC can talk to another.
Question - which DC's need to talk to enable the trust to function?
I understand that for authentication it is the client that will talk to the DC/GC in the local forest before being redirected to talk directly to the DC/GC in the foreign forest, before it can access foreign resources - but for this client-to-DC authentication to work do I only need a single (e.g. the PDC-E) DC in both forests to be able to establish and maintain the trust, or does the DC's the client is talking to for authentication (client-to-DC flows), also need to talk to eachother (DC-to-DC) to enable that trust to work for the client?
Appreciate guidance as I can never find anything definitive on this question.
Thanks in advance.