We help IT Professionals succeed at work.

domain and forest trusts

Medium Priority
451 Views
Last Modified: 2012-05-06
In forest A, parent domain A has child domain A1 and child domain A2.
In forest B, parent domain B exists.
child domain A1 and parent domain B have a two-way trust.
Can parent domain B access child domain A2?
Comment
Watch Question

Commented:
I believe the answer is no, that the trusts between forests are not transitive.

Commented:
It is correct, trust between separate forest is not transitive, regardless the type of trust you have established.
CERTIFIED EXPERT
Top Expert 2013
Commented:
In the current setup you would need a trust between parent domain B and child domain A2
 
To the others, just  some discussion about the forest trust scenario
http://technet.microsoft.com/en-us/library/cc755700.aspx
"In a Windows Server 2003 forest, you can link two disjoined Windows Server 2003 forests together to form a one-way or two-way, transitive trust relationships. A two-way, forest trust is used to form a transitive trust relationship between every domain in both forests."
 

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Author

Commented:
i believe the answer you guys gave is right provided the trusts used are external domain trusts between child domain A1 and parent domain B.  however, I believe forest trusts are transitive.  so if parent domain A and parent domain B had two way forest trusts instead, then child domain A1 and parent domain B would be accessible to each other.  see article and let me know if i am giving incorrect info:
http://technet.microsoft.com/en-us/library/cc773178.aspx
CERTIFIED EXPERT
Top Expert 2013

Commented:
Yeah that is why I asked my quesiton.  I don't think it was clear that you had a forest trust in place.
Commented:
Mike, thanks for the correction.
I guess a part of my memory got lost some how.
I must be thinking the the type of authentication(selective or domain-wide) etc in our enviornment which is mostly external trust.

So, in this case, the answer is no, if you have external trust. If you use forest trust, then yes, your domain in forest B will be able to access domain in A2 assuming that you have forest trust at the root.

I guess it would be a decision whether you can change the type of trust security wise.
Just keep in mind that Forest trust is open transitively for new child domain added in the future and if domain-wide authentication is used, ti would be wide open by default that anyone can access any share resources that is opened to "authenticated users" or "everyone" group.
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.