?
Solved

Active Directory trust setup

Posted on 2006-11-07
7
Medium Priority
?
1,967 Views
Last Modified: 2012-05-05
I have two seperate networks (Office network, web farm network). Both are Windows 2003 server. I currently have an active directory domain in the office network. I want to create a domain for the web farm but have it seperate from the office domain. I want there to be a one way trust to where object in the office can access object in the web farm, but the web farm cannot access object in the office.

Can someone explain what I need to do for the web farm? Do I need a Domain In A New Forest? Child domain in an existing domain tree? Or domain tree in an existing forest?

Thanks in advance
0
Comment
Question by:periker
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
7 Comments
 

Author Comment

by:periker
ID: 17892117
I'm going with a seperate forest & domain so I can do a one way trust. I'm open for any suggestions though.
0
 
LVL 48

Accepted Solution

by:
Jay_Jay70 earned 252 total points
ID: 17893665
Morning,

you do either/or really, if you create forests then you will need a forest trust, which is a little more segmenting than a single forest with two domains. For your scenario i would have created a new domain in a separate domain in an existing forest.

Can i ask why you would like to keep them separate, i mean, if its for business reasons then fair call, but if not then you might find it much easier to have a single domain, just a thought

http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/maintain/opsguide/part1/adogd05.mspx
0
 

Author Comment

by:periker
ID: 17893681
For security purposes. If my remote site gets broken into, it does not have access to my home office.
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 17893798
fair enough, you can secure it down pretty heavily with a single AD but I can understand your concern as well
0
 
LVL 9

Assisted Solution

by:vsg375
vsg375 earned 248 total points
ID: 18092506
Hi,

If you add a new domain to an existing forest, 2 way transitive trusts will automatically be generated, which means potential trouble.

Creating a new forest is OK, BUT :

1. It will generate much more administrative overhead
2. Cross-forest trusts ONLY work @ full native 2003 forest functional level. In ALL other cases, there is no way to establish a full forest trust, even one way. You would have to do it the old way, on a per domain basis.

Conclusion :

If you don't mind the administrative overhead, and have only one domain in your home office, create a new forest for your web farm, make sure the functional level is not raised to full native 2003, and establish a one way trust between home domain and web farm domain. Security shouldn't be compromised that way.

HTH
Cheers
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
Suggested Courses

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question