I have 3 domains in my forest. For purposes of discussion, I will use domain.dom is the root domain. Under this domain I have one.domain.dom and two.domain.dom. In one of my sites I have a domain controller on one.domain.dom, that is a global catalog server. In this site I have a number of computers and users in two.domain.dom. The questions I have all pertain when connectivity from this site to the other sites are unavailable. So a domain controller in two.domain.dom is not available, and none of the FSMO role holders in domain.dom are available. Users on two.domain.dom can log into machines on two.domain.dom and can access resources on other computers in two.domain.dom. However users in two.domain.dom that have never previously logged onto the machines in two.domain.dom cannot log into these computers when the site does not have connectivity to the rest of the forest. I assume that this is because the authentication is cached, despite some MS documentation indicating that network resources cannot be accessed using cached credentials. I have tested shutting down the computers and servers in two.domain.dom while the links were down. I have been able to restart the computers and continue to access the resources. My question is this occuring because of cached credentials or because the global catalog server on one.domain.dom is capable of authenticating these users, despite the availability of a DC in two.domain.dom? Can I rely on this to continue to work over 5-6 days of extended outage of connectivity to the rest of the forest? Will cross domain access to resources (network shares) continue to work with access only to the GC in one.domain.dom? I ask all of these because I understand the theoretical Kerberos process that is required for a KDC within their domain, and how TGT is valid for the local domain and how that is supposed to work across domains. However even when the domain is not available, I am seeing this function in a limited form -- even when I shut down the machines and restart them with the cached credentials. Perhaps they are just continuing to use the cached tickets..... any information on how the theoretical process meets applied reality would be appreciated.