• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1969
  • Last Modified:

Active Directory trust setup

I have two seperate networks (Office network, web farm network). Both are Windows 2003 server. I currently have an active directory domain in the office network. I want to create a domain for the web farm but have it seperate from the office domain. I want there to be a one way trust to where object in the office can access object in the web farm, but the web farm cannot access object in the office.

Can someone explain what I need to do for the web farm? Do I need a Domain In A New Forest? Child domain in an existing domain tree? Or domain tree in an existing forest?

Thanks in advance
0
periker
Asked:
periker
  • 2
  • 2
2 Solutions
 
perikerAuthor Commented:
I'm going with a seperate forest & domain so I can do a one way trust. I'm open for any suggestions though.
0
 
Jay_Jay70Commented:
Morning,

you do either/or really, if you create forests then you will need a forest trust, which is a little more segmenting than a single forest with two domains. For your scenario i would have created a new domain in a separate domain in an existing forest.

Can i ask why you would like to keep them separate, i mean, if its for business reasons then fair call, but if not then you might find it much easier to have a single domain, just a thought

http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/maintain/opsguide/part1/adogd05.mspx
0
 
perikerAuthor Commented:
For security purposes. If my remote site gets broken into, it does not have access to my home office.
0
 
Jay_Jay70Commented:
fair enough, you can secure it down pretty heavily with a single AD but I can understand your concern as well
0
 
vsg375Commented:
Hi,

If you add a new domain to an existing forest, 2 way transitive trusts will automatically be generated, which means potential trouble.

Creating a new forest is OK, BUT :

1. It will generate much more administrative overhead
2. Cross-forest trusts ONLY work @ full native 2003 forest functional level. In ALL other cases, there is no way to establish a full forest trust, even one way. You would have to do it the old way, on a per domain basis.

Conclusion :

If you don't mind the administrative overhead, and have only one domain in your home office, create a new forest for your web farm, make sure the functional level is not raised to full native 2003, and establish a one way trust between home domain and web farm domain. Security shouldn't be compromised that way.

HTH
Cheers
0

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now