External referrals between trusted forests

Question

Hello all,

In a migration scenario, I have the following situation. I have a forest with a single domain A containing users and a forest with a single domain B containing groups. The two forests have bidirectional trust setup. I would like to assign users of A to groups of B, so that LDAP applications can perform authorisation for users of A, based on their memberOf attributes.

1/ My idea is to use referrals (crossref objects) in order to make users of domain A available in domain B, so that users of A can become members of these groups in B. Is this possible? This scenario resembles assignment of users to remote security groups in Keberos; here we I am referring to LDAP though, where remote assignment of groups is not natively supported.

2/ Regarding partitions and crossref objects: all crossref (referral) objects are associated with domainDns (partition) objects within the same domain. Is a crossref object referencing an external forest object supposed to have some kind of partition?

Let me know, if you have any further questions. Any help is appreciated.

Thank you

Answer 1

Your scenario involves the complexities of cross-forest authentication and authorization mechanisms. Here's a detailed overview of your questions:

1. Use of Referrals (crossRef objects) for Cross-Domain Group Membership:
   • While it's feasible to set up cross-forest trusts and allow users from one forest (Forest A) to access resources and potentially be added to groups in another forest (Forest B), the direct use of referrals (crossRef objects) for the purpose you're describing is not typically how this is achieved in an Active Directory (AD) environment.
   • Normally, cross-forest group membership is managed by creating shadow groups or by using Universal Groups if both forests are in the same Active Directory environment and have a trust relationship. However, these solutions don't natively support the 'memberOf' LDAP attribute required for LDAP applications.
   • For traditional cross-forest group assignment, you might consider the following approaches:
     • Group Scope and Group Nesting:Utilize Universal Groups or Domain Local Groups and add users from Forest A to these groups in Forest B. Ensure that Forest Trust is correctly configured.
     • Shadow Groups:Mirror the group memberships manually or through scripts/automations to maintain consistency across forests.
     • Directory Synchronization Tools:Tools like Microsoft Identity Manager (MIM) or third-party solutions can assist in synchronizing group memberships across forests.
2. Partitions and crossRef Objects:
   • CrossRef objects (cross-reference objects) in Active Directory are typically used by the Global Catalog and refer to naming contexts or partitions within a forest.
   • When dealing with cross-forest scenarios, these crossRef objects do not directly refer to external forest objects. Instead, the trust relationship and associated mechanisms handle cross-forest referrals and forest-wide resources.
   • You won't usually create crossRef objects manually for external forests. Instead, you should rely on the trust relationship mechanism that is already in place.
   • The 'Partitions' container in Active Directory holds information about all naming contexts in the forest. This includes domain, configuration, and schema partitions but not external forest objects directly.

In summary, while direct usage of crossRef objects for cross-domain group memberships is not a supported method, you should leverage cross-forest trusts, group scopes, and potential directory synchronization tools to achieve your goal. Consider using Universal Groups for cross-forest memberships and ensure that your LDAP applications are aware of the group membership data appropriately.