is truly granted the access to authenticate in his
domain (e.g. if he doesn't also manage the trusted domain).
/Guido
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Monday, January 10, 2005 5:15 PM
To: Send - AD mailing
domain (e.g. if he doesn't also manage the trusted
domain).
/Guido
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Monday, January 10, 2005 5:15 PM
To: Send - AD mailing list
Subject: RE: [ActiveDir] Forest trusts vs trusts within f
nt one organization and
additional validity checks are not necessary
Hope this proves useful ... that's my post quota for '05 ;-)
--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com
-----Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED
MAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Monday, January 10, 2005 7:59 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Forest trusts vs trusts within forests
Actually Dean, would like to hear that explanation as to why if it's
not too much trouble. It often helps to make
veDir@mail.activedir.org
Subject: RE: [ActiveDir] Forest trusts vs trusts within forests
that's also my understanding Dean and that's how I've tested it that it
works - but I certainly wouldn't mind the lengthy version of the
explanation...
I do have to say, that the statement
hould they occur.
Could just be me though.
Al
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido
Sent: Monday, January 10, 2005 5:16 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Forest trusts vs trusts within forests
that
http://msetechnology.com
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg,
David A
Sent: Friday, January 07, 2005 5:33 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Forest trusts vs trusts within forests
Al - that was basically the first
2005 12:30 AMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Forest trusts vs
trusts within forests
Without disagreeing with any
of the points you made, don't you think multi-forest deployment is an "overkill"
for what he's trying to achieve?
Let's
2005 5:24 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Forest trusts vs trusts within forests
I'd say JFK jr. answered it between the lines ;-) Happy New Year John and
all!
A domain in a separate forest with a trust to another forest will be less
risky than a domain within the same
Ummm, yeah - I do.
-rtk
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Friday, January 07, 2005 5:22 PM
To: Send - AD mailing list
Subject: RE: [ActiveDir] Forest trusts vs trusts within forests
Does nobody but me like or even prefer
mailto:[EMAIL PROTECTED] On Behalf Of
> Grillenmeier, Guido
> Sent: Friday, January 07, 2005 5:24 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Forest trusts vs trusts within forests
>
> I'd say JFK jr. answered it between the lines ;-) Happy New
> Ye
ectory Services
www.readymaids.com - we know ITwww.akomolafe.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
From: Dean WellsSent: Fri 1/7/2005 3:21 PMTo: Send - AD mailing listSubject: RE: [ActiveDir] Forest trusts vs trusts within forests
Does nobody but me like or e
Directory Services
www.readymaids.com - we know ITwww.akomolafe.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
From: Grillenmeier, GuidoSent: Fri 1/7/2005 2:24 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Forest trusts vs trusts within f
: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Forest trusts vs trusts within forests
I'd say JFK jr. answered it between the lines ;-) Happy New Year John and
all!
A domain in a separate forest with a trust to another forest will be less
risky than a domain within the same forest - esp. unde
ssage-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A
Sent: Friday, January 07, 2005 5:33 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Forest trusts vs trusts within forests
Al - that was basically the first question, and I did get the confirmatio
Sent: Friday, January 07, 2005 3:50 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Forest trusts vs trusts within forests
Thanks John. To answer your questions:
1) the topology is hub/spoke. I would put a couple DCs for the new
forest in the hub location.
2) Regarding replication
uary 07, 2005 3:50 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Forest trusts vs trusts within forests
Thanks John. To answer your questions:
1) the topology is hub/spoke. I would put a couple DCs for the new
forest in the hub location.
2) Regarding replication, most of these sites ha
@mail.activedir.org
Subject: RE: [ActiveDir] Forest trusts vs trusts within forests
Thanks John. To answer your questions:
1) the topology is hub/spoke. I would put a couple DCs for the new forest
in the hub location.
2) Regarding replication, most of these sites have few to no Exchange users
- those
ave
-Original Message-From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of John ReijndersSent: Friday, January 07, 2005
10:36 AMTo: 'ActiveDir@mail.activedir.org'Subject: RE:
[ActiveDir] Forest trusts vs trusts within forests
Hi David,
Take 2 ;-)
ReijndersSent: Friday, January 07, 2005
1:42 AMTo: 'ActiveDir@mail.activedir.org'Subject: RE:
[ActiveDir] Forest trusts vs trusts within forests
Happy New Year to you as
well!
In order to make a good decision for yourself whether
or not you can and need to protect yoursel
the path I should push for regarding #3 - your comments are
welcome!
Duh ... No further comments your honour! I rest my case ...
Cheers!
John Reijnders
-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Reijnders
Sent: Friday, January 07,
nders
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Fugleberg, David A
Sent: vrijdag 7 januari 2005 16:51
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Forest
trusts vs trusts within forests
First, thanks to all of you for the many well-reasoned
replies to my
ent: Friday, January 07, 2005
1:42 AMTo: 'ActiveDir@mail.activedir.org'Subject: RE:
[ActiveDir] Forest trusts vs trusts within forests
Happy New Year to you as
well!
In order to make a good decision for yourself whether
or not you can and need to protect yourself against
Title:
Happy New Year to you as well!
In order to make a good decision for yourself whether or not you can
and need to protect yourself against clever DomaAdmins, Service Admins and/or
people with physical access to your DC's some extra info:
Ways to bypass standard security:
-
Hear, hear!
-gil
From: [EMAIL PROTECTED] on behalf of Deji Akomolafe
Sent: Thu 1/6/2005 8:06 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Forest trusts vs trusts within forests
>>> by using selective authentication (SA).
Which,
ay? -anon
From: Sakari KoutiSent: Thu 1/6/2005 1:42 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Forest trusts vs trusts within forests
Hi David,
In addition to SID filtering, you can protect a trust between domains in two forests (either a forest trust or an external trust) b
FWIW, White papers of relevance if you haven't seen them already.
The first one will probably answer your questions. What's the
underlying motivation for two forests?? Reading between the lines, it
sounds like the trust issue may not be the real issue compared to some
other service autonomy or d
is available in external trusts.
Phil
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Sakari Kouti
Sent: Thursday, January 06, 2005 4:43 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Forest trusts vs trusts within forests
Hi David,
In
Hi David,
In addition to SID filtering, you can protect a trust between domains in two
forests (either a forest trust or an external trust) by using selective
authentication (SA). SA is sometimes called authentication firewall, and the
idea is that only listed users can access only listed serve
Separate forests should be well protected from each other, with the
possible exception of the SID History exploit, which is prevented by
enabling SID filtering, which I think is on by default now.
-gil
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Fugl
In real life, you would also want to make use of SID filtering.
http://www.microsoft.com/windows2000/techinfo/administration/security/si
dfilter.asp
While multiple forests will give you security advantages, it will also
cause additional administrative overhead.
-Original Message-
From: [E
31 matches
Mail list logo
