Installation manual
Preparing for CIFS Authentication
Adding an Active-Directory Forest (Kerberos)
CLI Storage-Management Guide 3-19
From gbl mode, use the active-directory forest-trust command to identify a trust
relationship between two AD forests:
active-directory forest-trust forest-a forest-b
where forest-a and forest-b (1-256 characters each) identify the AD forests with
the trust relationship. These forests must be pre-configured on the ARX with the
active-directory-forest command (recall “Adding an Active-Directory Forest
(Kerberos)” on page 3-10), and they must both have all Windows 2003 servers
assigned as their
forest-roots (see “Identifying the Forest Root” on page 3-10).
This records a two-way trust between the forests. The trust is direct, not transitive;
that is, clients in forest-a can access CIFS services in forest-b, but cannot access any
services in forest-c unless you establish another trust between forest-a and forest-c.
This is consistent with the implementation in Windows.
For example, this command establishes a two-way trust between the ‘ny.com’ forest
and the ‘vt.com’ forest:
bstnA6k(gbl)# active-directory forest-trust ny.com vt.com
bstnA6k(gbl)# . . .
Dissolving a Forest-to-Forest Trust
For a forest trust that no-longer exists in your network, you can use the no
active-directory forest-trust
command:
no active-directory forest-trust forest-a forest-b
where forest-a and forest-b (1-256 characters each) are the forests where a trust
relationship no-longer exists.
For example, this command removes an existing two-way trust between the ‘ny.com’
and ‘ma.com’ forests:
bstnA6k(gbl)# no active-directory forest-trust ny.com ma.com
bstnA6k(gbl)# . . .
Showing All Active-Directory Forests
Use the show active-directory command to show all AD forests and forest trusts on
this switch.
show active-directory