Skip navigation
Menu
Kerberos and Separate Active Directory Forests
End-User Platforms>Active Directory

Kerberos and Separate Active Directory Forests

Q: Can Kerberos work across separate Active Directory forests?

A: Yes. If a forest root trust is created between the separate Active Directory (AD) forests, then Kerberos authentication is possible between any domain in any forest because of the transitive nature of the forest root trust. It is very important that services such as DNS are also correctly configured for cross-forest authentication to correctly function. The forest level of both forests must be at least Windows Server 2003. See this Microsoft article for some key details.

Hide comments

More information about text formats

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish
Recommended Reading
How Windows Server 2012 Eases the Pain of Kerberos Constrained Delegation, Part 2
How Windows Server 2012 Eases the Pain of Kerberos Constrained Delegation, Part 2
Mar 19, 2013
How Windows Server 2012 Eases the Pain of Kerberos Constrained Delegation, Part 1
How Windows Server 2012 Eases the Pain of Kerberos Constrained Delegation, Part 1
Feb 22, 2013
computer password entry box overlaying a keyboard
How To Use PowerShell for Active Directory Password Help
Mar 18, 2024
Microsoft CEO Satya Nadella on stage at Microsoft Ignite 2023
Top 10 Stories About Microsoft in 2023
Dec 22, 2023