I'm planning out a joinder between two domains, as would take place with contracting companies. Forests A and B exist in distant sites, and there is to be a one-way forest trust so that domain users in Forest A can be authenticated on machines in Forest B.
In order to facilitate this, each forest's domain controller must be able to contact each other in order to set up & confirm the trust, but my question is what underlying networking magic must take place beneath it.
So far the prevailing approach has been to maintain a VPN connection between the two sites, but the technet documentation seems to indicate that DNS forwarding may be the way to go. Is this the case?
Furthermore, if DNS will suffice, does that mean that there must be a server running DNS on boundary servers in each domain so that they can be reached from across the internet? How must they be configured?
Thanks!
See this technet article for the list of ports required and where. Routing hints for authentication referals are kept in the TDO. You do need to be able to forward requests to the proper DNS server for name resolution (or replicate the dns zone). Cross forest trusts are not simply dns forwards. You might also consider ADFS