Active Directory Trusts

Revision as of 09:52, 22 November 2016 by Slowfranklin (talk | contribs) (Created page with "= Support for Active Directory Trusts = External trusts between individual domains work in both ways (inbound and outbound). The same applies to root domains of a forest trus...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Support for Active Directory Trusts

External trusts between individual domains work in both ways (inbound and outbound). The same applies to root domains of a forest trust.

The transitive routing into the other forest is fully functional for kerberos, but not yet supported for NTLMSSP. FIXMEFIXMEFIXME: what does this mean from a functional perspective?

While a lot of things are working fine, there are currently a few limitations:

  • Both sides of the trust need to fully trust each other!
  • No SID filtering rules are applied at all!
  • This means DCs of domain A can grant domain admin rights in domain B.
  • It's not possible to add users/groups of a trusted domain into domain groups.