[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 441
  • Last Modified:

domain and forest trusts

In forest A, parent domain A has child domain A1 and child domain A2.
In forest B, parent domain B exists.
child domain A1 and parent domain B have a two-way trust.
Can parent domain B access child domain A2?
2 Solutions
I believe the answer is no, that the trusts between forests are not transitive.
It is correct, trust between separate forest is not transitive, regardless the type of trust you have established.
Mike KlineCommented:
In the current setup you would need a trust between parent domain B and child domain A2
To the others, just  some discussion about the forest trust scenario
"In a Windows Server 2003 forest, you can link two disjoined Windows Server 2003 forests together to form a one-way or two-way, transitive trust relationships. A two-way, forest trust is used to form a transitive trust relationship between every domain in both forests."
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

ENTPFAuthor Commented:
i believe the answer you guys gave is right provided the trusts used are external domain trusts between child domain A1 and parent domain B.  however, I believe forest trusts are transitive.  so if parent domain A and parent domain B had two way forest trusts instead, then child domain A1 and parent domain B would be accessible to each other.  see article and let me know if i am giving incorrect info:
Mike KlineCommented:
Yeah that is why I asked my quesiton.  I don't think it was clear that you had a forest trust in place.
Mike, thanks for the correction.
I guess a part of my memory got lost some how.
I must be thinking the the type of authentication(selective or domain-wide) etc in our enviornment which is mostly external trust.

So, in this case, the answer is no, if you have external trust. If you use forest trust, then yes, your domain in forest B will be able to access domain in A2 assuming that you have forest trust at the root.

I guess it would be a decision whether you can change the type of trust security wise.
Just keep in mind that Forest trust is open transitively for new child domain added in the future and if domain-wide authentication is used, ti would be wide open by default that anyone can access any share resources that is opened to "authenticated users" or "everyone" group.

Featured Post

Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now