Announcement

Collapse
No announcement yet.

User Logins from Child Domains..

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • User Logins from Child Domains..

    All -

    This is going to sound silly, but here goes:

    Could a user, who belongs to a child domain, authenticate/login to a DC in the parent domain ?

    In other words, if User A logs into the child domain from a workstation that belongs to a subnet whose site consists of the DC's in the parent domain, this should work right ?

    As long the DC holding the necessary FSMO roles for that particular domain is up, any DC within the same forest should be able to authenticate this request ?

  • #2
    Re: User Logins from Child Domains..

    Wow, you made a Mish-Mash out of all the terms you used.

    Originally posted by hboogz View Post
    Could a user, who belongs to a child domain, authenticate/login to a DC in the parent domain ?
    Theoretically yes , as long as the user in the child has permissions on the root domain.

    Originally posted by hboogz View Post
    In other words, if User A logs into the child domain from a workstation that belongs to a subnet whose site consists of the DC's in the parent domain, this should work right ?
    Subnet has nothing to do with "on which domain you can log onto", only on what Domain Controller you would log onto by default regardless of what domain it belongs to
    (of course the DC has to be able to authenticate that User , hence in the same domain) .

    Originally posted by hboogz View Post
    As long the DC holding the necessary FSMO roles for that particular domain is up, any DC within the same forest should be able to authenticate this request ?
    FSMO roles have nothing to do with it, keep them out of it.
    Last edited by Akila; 26th September 2008, 21:43.

    Comment


    • #3
      Re: User Logins from Child Domains..

      My apologies Akila, this particular scenario was a hard one for me to explain.

      what exactly do you mean by this ?

      Theoretically yes , as long as the user in the child has permissions on the root domain.
      I'll try this again a different way.

      192.168.1.x /24 = Hosts Forest root DC's. harry.local

      192.168.31.x/24 = Hosts child domain DC's. child.harry.local.

      Site:

      Main office = Parent.DC1 & Parent.DC2

      Branch = Child.DC1 & Child.DC2


      If userA who belongs to child.harry.local logs into the network from a computer that has an IP 192.168.1.28 -- theoretically the DC that will authenticate this request is a DC that is the "Main Office" site -- correct ?

      Comment


      • #4
        Re: User Logins from Child Domains..

        Originally posted by hboogz View Post
        M
        If userA who belongs to child.harry.local logs into the network from a computer that has an IP 192.168.1.28 -- theoretically the DC that will authenticate this request is a DC that is the "Main Office" site -- correct ?
        It all depends, if the User A is trying to logon the root domain then the DC in the main office would take the request.
        if the User A tries log on to the child Domain , then the DC on the remote site would take that request , since there is no DC of the chld domain in the main office site, so all is left is the remote site DC to take that login request.
        and so is the opposite, if Usr B from a branch/remote office Workstation tries to log on to the root domain, it would be authenticated by the Domain controller
        from the main office since there is no "Root/Parent domain" DC in the branch office to take that log on request.

        I see where you are getting all mixed up.
        As a golden rule, a Parent Domain does not authenticate users that belong to the child domain, since it is a user in the child domain
        and the parent doesn't even have that User object in it's database.
        every domain is responsible to his own Users/Password/Groups/Computers,etc (Domain Data Partition).
        the only thing that is cross forest is the Schema Settings, Global Catalog (which btw have partial info about the users cross forest, but not enough for authentication),
        Forest DNS settings/Zones and Sites/Site-links/Subnets,etc (Configuration partition).
        Last edited by Akila; 26th September 2008, 21:24.

        Comment


        • #5
          Re: User Logins from Child Domains..

          Exactly what i was looking for..

          So technically, if i were to run the nltest command to see which DC is authenticating which user -- i will never see userA, who is logging into a child domain, authenticated by a "parent/root DC".

          If a user attempts to log on to the child domain, from anywhere on the network - the DC's holding that child domain's AD database will always have to atuhenticate them.

          So technically, you don't want a user in Hong Kong attempting to logon to a root domain whose domain controllers are physically located in London ?

          Comment


          • #6
            Re: User Logins from Child Domains..

            Originally posted by hboogz View Post
            If a user attempts to log on to the child domain, from anywhere on the network - the DC's holding that child domain's AD database will always have to atuhenticate them.
            Yes, the DC of the child domain that is on the same subnet/Site configuration of the Workstation would take that call, if there are none then it would randomly
            pick one from any site (most likely based on a Alpha-Betic order of the DCs names).

            Originally posted by hboogz View Post
            So technically, you don't want a user in Hong Kong attempting to logon to a root domain whose domain controllers are physically located in London ?
            That is why you would consider locating a DC of the root domain
            in Hong-Kong if you got many users that would log on to that domain.
            Last edited by Akila; 26th September 2008, 21:39.

            Comment

            Working...
            X