No announcement yet.


  • Filter
  • Time
  • Show
Clear All
new posts

  • authentication

    Theoretically situation :

    * All 2003 servers
    * 1 forest, 1 domain, with 5 subdomains (A-B-C-D-E)
    * All domains are connected through a permanent WAN

    If a user from subdomain_A travels to subdomain_B he will be able to login to his domain.
    But will he authenticate to its own DC (subomain_A) over the WAN connection
    or with the DC at subdomain_B over the LAN.

    Thank you !

  • #2
    Hi hlauwers,

    When a user logs on to the domain, the client computer sends the logon request to the closest domain controller for "that" domain, which is a domain controller either in the local site or in a site that is connected to the local site through a site link with the lowest cost. The user must be issued an access token, which contains the list of all groups to which the user belongs, In a multi-domain forest, which is your case,universal group membership is maintained only in the global catalog. Therefore, the domain controller that authenticates the logon request must query the global catalog in order to determine the universal group to which the user belongs. If the global catalog is not available, the the domain controller will not authenticate the logon request and the user might be able to log on only by using the credentials that have been cached on the client computer after a previous successful logon attempt (1). What if cached credential is disabled? In Windows 2000 domain that users won't be able to log on at all. But Windows 2003 has fixed the problem by introducing universal group membership caching. Here's how it works: The DC that processes a logon request will connect to a GC server in another site and cache the universal group membership from that GC server refresh it periodically. I hope this will help you a bit.

    If you need further information please let me know. I'll try my best.

    (1) I deal with school environment and mandatory user profiles so log on with cached credentials is not really an issue. But for corporate environment it should be disabled through GPO:

    Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options ->Interactive logon


    (2) To enable universal group membership caching. Link