Can someone please assist with the following question
I read an a very good blog post here https://blogs.msmvps.com/acefekay/2016/09/21/kerberos-authentication-sequence-across-trusts/
However I am unsure about a couple of things
1) Does the TDO (trusted domain object) that is stored in the GC (copied from the System container in the Domain Partition) contain the 'inter-domain key' (e.g. share secret) for the inter-forest trust which is required to encrypt a TGT for the other forest's KDC
For example in the post above item 3 states for following
3. The KDC in the marketing.trimagna.com then issues the workstation a TGT for the contoso.com domain. This is known as a referral ticket
Therefore I am thinking as the child domain referred to in item 3 'marketing' is not the forest root domain and therefore does not host the forest root trust. Therefore In order to the KDC in the marketing domain to create a TGT for the foreign forest KDC 'contoso.com domain' it would have to encrypt the TGT with a shared secret (inter-domain key) of the forest-trust and the only place I can think a child domain would get this inter-domain key for the inter-forest trust is the GC (global catalogue)
Can someone please verify if my logic is correct please? if not where am I going wrong
Thanks
CXMelga