Active Directory Forest Design Testing

While doing some test with Active Directory Trust I came across some really interesting results, i don't know if they were because of a faulty configuration or because this is the really it way it would work under these conditions but some insight in these findings would be greatly appreciated.

The lab test started while i was studying for my 70-647 Windows Server 2008 Enterprise Administrator exam. I wanted to find out more about different types of Active Directory  forest designs, more specifically the "Resource Forest". In this type of forest all the resources for the enterprise would be stored in a separate forest.  Doing this creates separation of between the two Global Catalog, Schema, Infrastructure Configuration, and SIDs ( I placed SIDs here because the SID in a domain enviroment are realtive to the domain that they were created and changing the RID FSMO roll is preformed at the forest.I created two separate forests one with a single domain (test.local) and the other with a root domian and a sub domain (dim.internal and test.dim.internal). I created a Trust between the two forests and configured it for selective authentication. the test.local was the forest name space held the resources for the organization and the dim.internal was to hold the user accounts. I configured a couple of users that were allowed to access resources across the domains. One of the thing that I noticed was that when using the netbios name of the file server in the test.local domain unless the the default administrator account explicitly use the User Principal Name  to authenticate access was allowed for the resource even if there was no SACL. My thought was that because the default Administrator account has no UPN configured by default NTLM would be used as the authentication mechanism and not Kerberos.  I will update this with more results in the coming weeks.



http://technet.microsoft.com/en-us/library/cc772808%28WS.10%29.aspx