3.4 Interoperability Between Active Directory and eDirectory

Trust relationships are key to managing Domain Services for Windows (DSfW). To facilitate communication between Windows and Linux environments you can create a trust to access resources from another domain. When a domain is installed, a trust is automatically established with its parent domain.

To assist you in doing this, DSfW supports installing into a new eDirectory tree, an existing eDirectory tree, or an existing forest, creating multiple DSfW domains, and setting up multiple DSfW domain controllers within the same domain.

Figure 3-4 illustrates a typical deployment scenario in a mixed Novell/Microsoft environment.

Figure 3-4 Cross-Forest Trust between Active Directory and DSfW

The diagram shows an Active Directory forest and a DSfW forest. Within the DSfW forest are two DSfW servers, an eDirectory SP2 server, and an eDirectory 8.8 SPx server, configured in the same replica ring. Novell administrators can manage the domain by using iManager connected to any of these servers, and a Microsoft administrator can use MMC connected to one of the DSfW servers. The same set of users can access resources from the Active Directory forest through the establishment of a cross-forest trust, which is a two-way, Kerberos-based, transitive trust between the two forests.

Within the authentication/authorization boundary (realm) established by DSfW, eDirectory replication can be used to expand the scope of users and groups that can access resources in a cross-domain and cross-forest scenario. In the example scenario shown above, users created in eDirectory 8.8 SP2 and above are replicated into the DSfW domain and can therefore access servers in the Active Directory forest.

For more information on creating cross-forest trust, see Section 18.0, Managing Trust Relationships in Domain Services for Windows.