MicrosoftI'm trying to wrap my head around how to implement an Authentication Policy in a "Red Forest" scenario, where the administrators user accounts are in a different forest than the production ones and with a one-way trust between these forests.
It's not possible to add computers from PROD forest to the conditions of an Authentication Policy created in the RED forest, and it's also not possible to add users from "RED" forest to the Accounts of an Authentication Policy created in PROD forest.
Any advice for this scenario?
Thanks :)
Edit : I continued scrolling through the comments and found those from henrymoehsel and KiliMuc stating that this is not doable.
Given that the Red Forest is till an useful in some scenarios, especially disconnected ones; how would you adress this? By relying on Selective Authentication to prevent Admins from different tiers to logging onto servers where they shouldn't? Or go back to the "old" GPO mechanisms?
MicrosoftCurrently today the Red forest has been deprecated and moved to a harden forest. This Red forest was a great solution, but expensive to deploy and most organizations have a hard time adhering to the thought of it being an appliance vrs a domain. As to the old way of GPO, that has never gone away and is still relevant when working with the production forest. Domain admins should not be allowed to logon any devices except in Tier 0, Tier 1 admins should not be able to log onto any devices except their designated Tier 1 devices.....
Read over: Rapidly modernize your security infrastructure - Privileged access | Microsoft Learn
Call it whatever you like, it was pretty clear from my post I was talking about "a distinct forest containing administrators user accounts and with a one-way trust to multiple production forests" and that's what should matter.
Authentication Policies are a better solution to prevent lower-tier logons compared to GPOs, hence my question.
RAMP is not very relevant in my disconnected scenario.