Last post Aug 05, 2010 03:58 AM by Deleo
Aug 03, 2010 11:24 AM|djkast|LINK
I have 3 Domain controllers. One Root DC and two Subdomain DC's
I want users added to the Root DC to be able to login to servers attached to the Subdomain controllers.
I understand a one-way trust has to be setup. But how do i get users from the RootDC to be able to login to the servers attached to the Subdomains?
I've tried both adding the subdomains to the existing forest with a 2-way trust, and adding them to their own forest and making a oe-way trust, but no luck.
It recognized the user, but doesn't allow the login.
Aug 05, 2010 03:58 AM|Deleo|LINK
I am new to AD, but in my experience i have come across some Kerberos difficulties. You say that your DC reckognize the user, but login fails. Can you verify that the protocol is Kerberos and that you have kerberos tickets?
there are numerous tools that allow you to see kerberos tickets and handshakes, use one or more to get information about them :)
You might have to set up delegation amongst your DC, because a user who enters subdomain need to be verified by Root DC and the subdomain need to delegate the authentication to rootDC :)
Delegation is a good recipie for trouble, so download the user manual and read about kerberos delegation :)
Delegation can make your domain less secure unless you know how to stop it :)