Solved

Active Directory trust setup

Posted on 2006-11-07
7
1,964 Views
Last Modified: 2012-05-05
I have two seperate networks (Office network, web farm network). Both are Windows 2003 server. I currently have an active directory domain in the office network. I want to create a domain for the web farm but have it seperate from the office domain. I want there to be a one way trust to where object in the office can access object in the web farm, but the web farm cannot access object in the office.

Can someone explain what I need to do for the web farm? Do I need a Domain In A New Forest? Child domain in an existing domain tree? Or domain tree in an existing forest?

Thanks in advance
0
Comment
Question by:periker
  • 2
  • 2
7 Comments
 

Author Comment

by:periker
ID: 17892117
I'm going with a seperate forest & domain so I can do a one way trust. I'm open for any suggestions though.
0
 
LVL 48

Accepted Solution

by:
Jay_Jay70 earned 63 total points
ID: 17893665
Morning,

you do either/or really, if you create forests then you will need a forest trust, which is a little more segmenting than a single forest with two domains. For your scenario i would have created a new domain in a separate domain in an existing forest.

Can i ask why you would like to keep them separate, i mean, if its for business reasons then fair call, but if not then you might find it much easier to have a single domain, just a thought

http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/maintain/opsguide/part1/adogd05.mspx
0
 

Author Comment

by:periker
ID: 17893681
For security purposes. If my remote site gets broken into, it does not have access to my home office.
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 17893798
fair enough, you can secure it down pretty heavily with a single AD but I can understand your concern as well
0
 
LVL 9

Assisted Solution

by:vsg375
vsg375 earned 62 total points
ID: 18092506
Hi,

If you add a new domain to an existing forest, 2 way transitive trusts will automatically be generated, which means potential trouble.

Creating a new forest is OK, BUT :

1. It will generate much more administrative overhead
2. Cross-forest trusts ONLY work @ full native 2003 forest functional level. In ALL other cases, there is no way to establish a full forest trust, even one way. You would have to do it the old way, on a per domain basis.

Conclusion :

If you don't mind the administrative overhead, and have only one domain in your home office, create a new forest for your web farm, make sure the functional level is not raised to full native 2003, and establish a one way trust between home domain and web farm domain. Security shouldn't be compromised that way.

HTH
Cheers
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question