The system supports traversing external (or forest) trusts between domains in different forests.

This includes:

  • Assignment/entitlement of users/groups in one forest to resources in a different forest.

  • Support for one-way trusts.

For this functionality to work, you must do the following.

  • Register all domains from all forests that contain accounts and desktops you wish to use.

  • Register forest root domains from both sides of a forest trust. This is required to allow the tenant to connect to the forest roots and decode the relevant TDO. This requirement holds even if there are no DaaS desktops or users in the forest root domains.

  • Enable global catalog for at least one of the registered domains in each forest. For optimal performance all registered domains should have global catalog enabled.

  • To entitle groups from different forests to a desktop, register at least one universal group from each forest. Entitlement/assignment using domain local groups is not supported. As a result, the system filters out FSPs from 'member' attribute DNs and tokenGroups.

  • Follow a hierarchical structure with regard to DNS name and root naming context for forest domains. For example, if the parent domain is called example.edu, a child domain could be called vpc.example.edu but not vpc.com.

  • Avoid having a domain from an externally trusted forest with a clashing NETBIOS name, as such domains will be excluded. The registered NETBIOS name will always take precedence over a clashing NETBIOS name found during enumeration of a trusted forest's domains.