Block Trust between Child Domains Windows 2003

Posted on 2008-10-28
Last Modified: 2009-03-01
We currently have a single forest.  We have a top level domain and a child domain.  We acquired another company but do not want any resources shared between both child domains.  My understanding with Windows server 2003 Active Directory, all trusts are implied and Transitive.  Is there a way to force the two child domains to "never" be able to share resources or see each other's AD objects?  Is there a knowledgebase article to verify this is possible?  Child domains can see resources in the parent domain but should not see the other child.
Question by:Shenook
  • 2
  • 2
LVL 30

Accepted Solution

LauraEHunterMVP earned 500 total points
ID: 22826873
Nope. Forests are the security boundary. If you want to isolate the new company's environment, leave them as a separate forest and create an external trust relationship between their forest and the root domain of your existing forest.
LVL 14

Expert Comment

ID: 22826982
If you have DOMAIN.LOCAL and you create CHILD1.DOMAIN.LOCAL and CHILD2.DOMAIN.LOCAL there is NOT a trust relationship between CHILD1.DOMAIN.LOCAL and CHILD2.DOMAIN.LOCAL unless you create it.
LVL 30

Expert Comment

ID: 22827056
If all 3 domains are in the same forest, then that statement is 100% false.  There is a two-way transitive trust relationship between all domains within a single AD forest.
LVL 14

Expert Comment

ID: 22827286
I stand corrected. Transitive trusts do extend to all domains within the same forest.

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

[b]Ok so now I will show you how to add a user name to the description at login. [/b] First connect to your DC (Domain Controller / Active Directory Server) SET PERMISSIONS FOR SCRIPT TO UPDATE COMPUTER DESCRIPTION TO USERNAME 1. Open Active …
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

27 Experts available now in Live!

Get 1:1 Help Now