Hi everyone,
We have 2 AD forests. The first forest - Forest A has 3 domains with an "empty" root domain (yeah - we go back a long way) and 2 child domains . The second forest -Forest B - has a single domain.
There is currently a two way forest trust between Forest A and Forest B - no problems there.
Now we have a member server in one of the child domains in Forest A, that hosts the Cisco ACS 4.2 software. We use this server to authenticate wireless users in the child domains in Forest A using EAP-TLS.
To cut to the chase, we are having problems extending the Cisco ACS software to cover users in the single domain in Forest B. The root cause is that the Cisco ACS software does not "see" Forest B's domain in its "available domains" list. I get similar behaviour with the "NLTEST /server: <server name> /trusted_domains" command. If I run this command targetted at either the Cisco ACS member server or a domain controller within its child domain in Forest A, I do not see Forest B's domain in the list of trusts. However if I run the command targetted to a domain controller in the root domain of Forest A then I get the full list of trusts including the forest trust. I guess this is expected as there is no direct trust relationship between the child domains in Forest A and the root of Forest B.
By my reckoning I have to choose between relocating the Cisco ACS server to the root domain of Forest A or creating an external trust between the child domain hosting the Cisco ACS server in Forest A and the root of Forest B.
Now creating an external trust in addition to the existing forest trust certainly appears possible. Can anyone advise whether I'm likely to come across any problems with doing this?
I am currently loathe to move the ACS member server to the root domain due to its limited number of users with logon privileges. I would hate to have to open this up to a much larger community to support the ACS server.
Opinions as to the coexistence of a forest and external trust in my situation would be appreciated.
