Solved

Block Trust between Child Domains Windows 2003

Posted on 2008-10-28
4
366 Views
Last Modified: 2009-03-01
We currently have a single forest.  We have a top level domain and a child domain.  We acquired another company but do not want any resources shared between both child domains.  My understanding with Windows server 2003 Active Directory, all trusts are implied and Transitive.  Is there a way to force the two child domains to "never" be able to share resources or see each other's AD objects?  Is there a knowledgebase article to verify this is possible?  Child domains can see resources in the parent domain but should not see the other child.
0
Comment
Question by:Shenook
  • 2
  • 2
4 Comments
 
LVL 30

Accepted Solution

by:
LauraEHunterMVP earned 500 total points
ID: 22826873
Nope. Forests are the security boundary. If you want to isolate the new company's environment, leave them as a separate forest and create an external trust relationship between their forest and the root domain of your existing forest.
0
 
LVL 14

Expert Comment

by:dfxdeimos
ID: 22826982
If you have DOMAIN.LOCAL and you create CHILD1.DOMAIN.LOCAL and CHILD2.DOMAIN.LOCAL there is NOT a trust relationship between CHILD1.DOMAIN.LOCAL and CHILD2.DOMAIN.LOCAL unless you create it.
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 22827056
If all 3 domains are in the same forest, then that statement is 100% false.  There is a two-way transitive trust relationship between all domains within a single AD forest.
0
 
LVL 14

Expert Comment

by:dfxdeimos
ID: 22827286
I stand corrected. Transitive trusts do extend to all domains within the same forest.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

790 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question