You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
3. Add a CNAME entry using Active Directory DNS Manager and follow the steps below for each storage account in the domain that the storage account is joined to.
133
+
3. Add a CNAME entry using Active Directory DNS Manager and follow the steps below for each storage account in the domain that the storage account is joined to. If you're using a private endpoint, add the CNAME entry to map to the private endpoint name.
134
134
135
135
1. Open Active Directory DNS Manager.
136
136
1. Go to your domain (for example, **onpremad1.com**).
@@ -149,8 +149,8 @@ Now, from domain-joined clients, you should be able to use storage accounts join
149
149
150
150
If you've already modified the storage account name suffix and added a CNAME record as described in the previous section, you can skip this step. If you'd rather not make DNS changes or modify the storage account name suffix, you can configure a suffix routing rule from **Forest 1** to **Forest 2** for a custom suffix of **file.core.windows.net**.
151
151
152
-
> [!IMPORTANT]
153
-
> This method will only work in environments with two forests. If you have more than two forests, use the [Modify storage account name suffix and add CNAME record](#modify-storage-account-name-suffix-and-add-cname-record) method instead.
152
+
> [!NOTE]
153
+
> Configuring name suffix routing doesn't affect the ability to access resources in the local domain. It's only required to allow the client to forward the request to the domain matching the suffix when the resource isn't found in its own domain.
154
154
155
155
First, add a new custom suffix on **Forest 2**. Make sure you have the appropriate administrative permissions to change the configuration and that you've [established trust](#establish-and-configure-trust) between the two forests. Then follow these steps:
156
156
@@ -170,9 +170,6 @@ Next, add the suffix routing rule on **Forest 1**, so that it redirects to **For
170
170
1. Check if the "*.file.core.windows.net" suffix shows up. If not, select **Refresh**.
171
171
1. Select "*.file.core.windows.net", then select **Enable** and **Apply**.
172
172
173
-
> [!NOTE]
174
-
> Configuring name suffix routing doesn't affect the ability to access resources in the local domain. It's only required to allow the client to forward the request to the domain matching the suffix when the resource isn't found in its own domain.
175
-
176
173
## Validate that the trust is working
177
174
178
175
Now we'll validate that the trust is working by running the **klist** command to display the contents of the Kerberos credentials cache and key table.
1. Log on to a machine or VM that's joined to a domain in **Forest 2** and open a Windows command prompt.
198
-
1. Run the following command to display the credentials cache for the domain-joined storage account in **Forest 1**: `klist get cifs/onprem2sa.file.core.windows.net`**[Is this correct, or should it be onprem1sa?]**
195
+
1. Run the following command to display the credentials cache for the domain-joined storage account in **Forest 1**: `klist get cifs/onprem1sa.file.core.windows.net`
199
196
1. You should see output similar to the following:
If you see the above output, you're done. If you don't, follow these steps to provide alternative UPN suffixes to make multi-forest authentication work.
227
224
225
+
> [!IMPORTANT]
226
+
> This method will only work in environments with two forests. If you have more than two forests, use one of the other methods to configure domain suffixes.
227
+
228
228
First, add a new custom suffix on **Forest 1**.
229
229
230
230
1. Log on to a machine or VM that's joined to a domain in **Forest 1**.
0 commit comments