How client computer/member server find the logon Domain Controller from Cress Fores in an Active Directory envirnment or How secure channel determine the Domain controller in cross-forest
If you are worked on troubleshooting the authentication issues between forests, you might be used NLTEST tool to check the secure channel Domain controller, did you ever try to know how the domain controller in one forest select the domain controller in other forest
In a local member server to Domain controller secure channel determined by the site-link and respective DNS SRV record, like the same way Domain Controller to trusted Domain secure channel determined by the site-link and respective DNS SRV record if you enabled the Site synchronization
Site synchronization
To locate the closest Domain Controller from the trusted domain, Domain should have knowledge of the trusted domain’s site and site-link, you have to define the subnet of the DC in trusted Domain site
it’s like add the same subnet on both the Forest with corresponding site to match the user authentication
To check how logon server from trusted forest been determined by the client, check the current authenticated Domain Controller from client, and check the current secure channel/authenticated Domain Controller from authenticated DC
Below command has been used to find the current authenticated DC from a Domain
Nltest /dsgetdc:Domain Name
Below command has been used to find the current secure channel Domain controller from a Domain
Nltest /SC_QUERY:<DomainName>
Below command has been used to reset the secure channel to select different Domain controller from corresponding Domain/Forest
Nltest /SC_RESET:<DomainName>
This will select the Domain Controller as per the design
If you want to reset the secure channel to select specific Domain controller from corresponding Domain/Forest
Nltest /SC_RESET:<DomainName> \<DcName>
Seems to be simple and this is how secure channel determine the Domain Controller in Cross Forest
