ADDS Forest Trust question

Question

I have a query about ADDS domain trusts as i cannot wrap my head around it, allow me to build a quick scenario

2 forests forestA and forestB - They are able to resolve each other via DNS and are single domain environments S2016

Trust - 1-way transitive

ForestA -Incoming trust

ForestB - outgoing trust

Question.... This means ForestA is trusted and ForestB is trusting.. Correct?

what i do not understand is this

If i have 2 DC's we will say DCa and DCb - DCa is a domain controller within Foresta and DCb is a domain controller within Forestb

When Foresta\administrator is logged into DCa i can open ADUC and browse Forestb's domain however cannot write to it

When Forestb\administrator is logged into DCb i can write to Foresta's ADDS such as creating a new user

How is this correct unless i have the whole trusted/trusting mixed up?

However the permissions are the opposite and what you would expect, Foresta cannot assign permissions like NTFS to groups from Forestb however it works in reverse so Forrestb can assign permissions to groups in Forresta

It seems the administration side is working against the grain of the trust relationship

Answer

Hi,
Here is my test to single domain forest:pki.com and fan.local
Trust - 1-way transitive

fan.local -Incoming trust
pki.com - outgoing trust

When fan.local \administrator is logged into DC1.fan.local , i can open ADUC and browse pki.com domain however cannot write to it,the access was denied. It is an expected behavior.
When pki.com\administrator is logged into DC1.pki.com, i can't even browse pki.com domain ,the error is:

In your situation , i would recommend you confirm the trust again and the if the permission is delegated .

Share via

ADDS Forest Trust question

1 answer

Your answer