Cross Domain Authentication Issue


G

Guest

Kinda complicated question for those who would like to show off their chops...

Background:
4 Domains of Windows 2003 DCs in a forest running in Windows 2000 native.
All domains are running Windows 2000 native. 1 root domain, 1 child domain
and 2 grandchild domains. There is an application making LDAP queries of
each domain in the context of an account I'll call LDAPAcct that lives in the
child domain without using the fully qualified name of the account. The
application will not accept the FQDN of the account when making the LDAP
query.

Issue:
When the application runs the LDAP query against either grandchild domain
the grandchild DC doesn't find the account in the local domain DB, so it
prepends another domain name to the username in the request and sends it to
that domain for authentication. The issue is that one grandchild domain
prepends the root domain name (rootdomain\LDAPAcct) and the other grandchild
domain prepends the correct child domain name (childdomain\LDAPAcct). Since
the account lives in the child domain, when the root domain is prepended the
query fails.

Question:
Is there anyone who understands the mechanism that a DC will use in a
situation like this when referring an unqualified account name to another
domain for authentication? If so can you give me some guidance?

Thanks for any insight
Mark
 
Ad

Advertisements

G

Guest

Mark

Split your zones over dns servers. i.e have secondary zones on the child
domain dns server for your grand child domains, update your suffixes to
include the grandchild zones. that will do the trick:)
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top