http://blogs.technet.com/b/askds/archive/2008/09/24/domain-locator-across-a-forest-trust.aspxRob and Mike here. We're asked, many times, why a user does not authenticate against a local domain controller in the same site when logging on across a forest. We've setup the most common scenario to help explain how domain locator works for user logonsen-USTelligent Evolution Platform Developer Build (Build: 5.6.50428.7875)http://blogs.technet.com/b/askds/archive/2008/09/24/domain-locator-across-a-forest-trust.aspx#3315084Wed, 24 Feb 2010 16:57:22 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3315084NedPyle [MSFT]<p>You're out of them.</p> <div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3315084" width="1" height="1">http://blogs.technet.com/b/askds/archive/2008/09/24/domain-locator-across-a-forest-trust.aspx#3315075Wed, 24 Feb 2010 16:21:52 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3315075ibabeu<p>Ok, so if you can't match the site names, it's an external trust, and are using DNS forwarding (so you can't simply put up a stub domain) what are your options?</p> <div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3315075" width="1" height="1">http://blogs.technet.com/b/askds/archive/2008/09/24/domain-locator-across-a-forest-trust.aspx#3244711Fri, 22 May 2009 23:10:29 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3244711timmay<p>This article does a great job of explaining authentication between domains using a forest trust.</p> <p>I'm trying to fix slowdowns when the trust is between domains with no forest trust, i.e. External. &nbsp;</p> <p>We see the same behaviour as above in our traces but the trusted domain controllers are not accessible to members of the resource domain. &nbsp;DNS is available because the trusting domain DCs are forwarding the requests through. &nbsp;In the end the devices in the trusting domain spend a good deal of time, ~20 sec, trying to contact DCs in the external trusted domain for Kerberos authentication. &nbsp;Only when they fail entirely will go to their own DC.</p> <div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3244711" width="1" height="1">http://blogs.technet.com/b/askds/archive/2008/09/24/domain-locator-across-a-forest-trust.aspx#3133469Tue, 07 Oct 2008 15:58:51 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3133469Michael Hildebrand - MSFT<p>Great info on a real-world issue - 'how to effectively use multiple forests?' &nbsp;Great work, bloggers!</p> <div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3133469" width="1" height="1">http://blogs.technet.com/b/askds/archive/2008/09/24/domain-locator-across-a-forest-trust.aspx#3129901Mon, 29 Sep 2008 15:54:22 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3129901NedPyle [MSFT]<p>Great catch bday! That has been fixed.</p> <p>- Ned</p> <div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3129901" width="1" height="1">http://blogs.technet.com/b/askds/archive/2008/09/24/domain-locator-across-a-forest-trust.aspx#3128695Fri, 26 Sep 2008 06:52:22 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3128695Brian Day [MSFT]<p>Great post, it really makes it nice and clear to understand and fix. </p> <p>One quick comment though on this paragraph;</p> <p>BEGIN_SNIP</p> <p>The DNS server's response to the above request includes a resource record for every domain controller in the user's domain. Since the client receives the list of domain controllers in no particular order this result is usually the cause as to why the domain controller locator does use the closest domain controller for authentication.</p> <p>END_SNIP</p> <p>...shouldn't it say &quot;does not use&quot; in the second sentence?</p> <div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3128695" width="1" height="1">http://blogs.technet.com/b/askds/archive/2008/09/24/domain-locator-across-a-forest-trust.aspx#3128222Thu, 25 Sep 2008 13:28:53 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3128222Domain Locator Across a Forest Trust<p>PingBack from <a rel="nofollow" target="_new" href="http://www.ditii.com/2008/09/25/domain-locator-across-a-forest-trust/">http://www.ditii.com/2008/09/25/domain-locator-across-a-forest-trust/</a></p> <img src="http://blogs.technet.com/aggbug.aspx?PostID=3128222" width="1" height="1">