quote:
Can a client be validated by a DC in the trusted domain ?
Yes, that is how the NT4 Master Domain Model and Complete Trust Domain Models functions. In W2K all domain in a forest have transitive trusts. that means more or less every domain trusts every other domain. To be specific, a client in this context is a user account and password.
Given Dom1, Dom2 and that Dom2 trusts Dom1. A user on a computer that is a member of Dom2 can have a user logon using an account Dom1\User1. This demonstates that a client can be authenticated by a DC in the "trusted" domain.
quote:
Can validation by an AD server in a NT domain cause group confusion in KiX ?
I do not think so. When a Dom1\User1 logs on, a security token is created and the Sids for all the "global groups" in Dom1 to which User1 is a member are attached to the token. Please note that it is impossible for Dom1\User1 to be a member of any Global Group in any domain other than Dom1. Up to now I have not played with "Universal" groups in W2K native mode and do not know how the KiXtart group functions work relative to these groups.
quote:
Will domain-sync be across trusted domains ?
No. A domain synchronization is between all DCs within a single domain.
quote:
How does security tokens travel between trusted domains ?
It doesn't really. The user (client) attempts to access a resource is some domain. In order to gain access the client offers its credentials, the security token which consists of the (user account and the hashed password) along with the sids of global groups, and any Sid History (yuk!). The resource server accepts the (password and hash) then uses the trust ("secure channel") to communicate to the trusted domain in order to validate the the credentials are authentic by having the trusted DC compare the user account and password hash to that which is stored in the trusted DC's SAM database.
quote:
Could this have anything to do with the difference of the two trusted domains ?
I do not quite understand what you intended when asking this question. The user can only be a member of one of the domains, so I do not see how this matters.
These discussions are based on NTLM. Kerberos adds some different twists to the story.
