Overview - Administering a Multicell Environment
Previous topics in this guide described the DCE administration tasks that are performed within individual cells. The administration of a multicell environment, which is one in which principals from foreign cells access objects in the local cell, has additional tasks and considerations that arise from the interaction of principals across different cells.
In fact, you can have two types of system administrators: one for local cell administration and one for intercell administration of the multicell environment. If you set up groups for the two types of administrators, you can set the ACL for the krbtgt directory, which contains cell principals, in the registry database to allow updating only by the group of intercell administrators. Be sure, however, to allow all other users read access to the krbtgt directory or intercell access will be denied to those users. Note that, if you protect the krbtgt directory in this way, ensure that all directories below the krbtgt directory also have the proper ACLs. The easiest way to accomplish this is to change the Object ACL and the Initial Creation ACLs on the krbtgt directory after the registry is created.
This topic describes the trust relationships between cells that allow principals from foreign cells access to objects in your cell and vice versa.