This policy setting defines the list of trusting forests that the Kerberos client searches when attempting to resolve two-part service principal names (SPNs).
If you enable this policy setting, the Kerberos client searches the forests in this list, if it is unable to resolve a two-part SPN. If a match is found, the Kerberos client requests a referral ticket to the appropriate domain.
If you disable or do not configure this policy setting, the Kerberos client does not search the listed forests to resolve the SPN. If the Kerberos client is unable to resolve the SPN because the name is not found, NTLM authentication might be used.
Enter the list of forests to be searched when this policy is enabled.
Use the Fully Qualified Domain Name (FQDN) naming format.
Separate multiple search entries with a semi-colon ";".
The current forest need not be listed because Forest Search Order uses the global catalog first then searches in the order listed.
You do not need to separately list all the domains in the forest.
If a trusting forest is listed, all the domains in that forest will be searched.
For best performance, list the forests in probability of success order.