Cross Forrest Trusts in Win2k3

[Guest]

Couple of questions about cross forrrest trusts and functionality in both
Windows 2000 and 2003.

1. Is Kerberos delegation of authentication supported in a cross forrest
trust?
1a. Does it have to be 2 way?
2. Is this supported in a Windows 2000 environment?
3. Does the domain have to be at a certain functional level?

 

[Laura E. Hunter [MVP]]

Creating a cross-forest trust requires both sides of the forest to be at the
Windows Server 2003 forest functionality level; if you have Windows 2000 DCs
in the mix, the best you can do is to create an external trust with the 2000
domain. Forest trusts use Kerberos authentication, and can be either
one-way incoming, one-way outgoing, or two-way.

HTH

 

[Guest]

Is Kerberos Delegation of authentication supported in W2K3 forrests if it is
at the correct level of functionality?

 

[Paul Williams [MVP]]

Yes, by default (and in 2000). If both forests are 2003 functional it is
also supported across the [forest] trust. Although constrained delegation
is specific to a domain.