Policy

Use forest search order

Windows 11 25H2

Back to categoryOpen picker

Policy overview

Key metadata and intent for this policy.

ClassComputer
CategorySystem > KDC
Supported onAt least Windows Server 2008 R2 or Windows 7

Supported OS tags: Windows10, Windows10RT, Windows11, Windows7, Windows8, Windows81, WindowsRT, WindowsRT81, WindowsServer2008, WindowsServer2012, WindowsServer2012R2, WindowsServer2016

This policy setting defines the list of trusting forests that the Key Distribution Center (KDC) searches when attempting to resolve two-part service principal names (SPNs). If you enable this policy setting, the KDC will search the forests in this list if it is unable to resolve a two-part SPN in the local forest. The forest search is performed by using a global catalog or name suffix hints. If a match is found, the KDC will return a referral ticket to the client for the appropriate domain. If you disable or do not configure this policy setting, the KDC will not search the listed forests to resolve the SPN. If the KDC is unable to resolve the SPN because the name is not found, NTLM authentication might be used. To ensure consistent behavior, this policy setting must be supported and set identically on all domain controllers in the domain.

Internal name
ForestSearch
Policy ID
0228689d8837
Elements
1

Registry values

How enabled and disabled states update the registry.

Registry locationTypeEnabled valueDisabled value
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\KDC\Parameters\UseForestSearchREG_DWORD
1
0

Policy elements

Inputs and configuration options exposed by this policy.

ElementTypeRegistry mappingConstraints & behavior
Forests to Search
ID ForestSearchList
text
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\KDC\Parameters\ForestSearchList
Type REG_SZ
None

Other policies in this category

Explore related policies at the same level.