Domain trusts

I am trying to understand what a domain trust will achieve under Win2k3 ........ i have 4 independent domains in 4 different physical locations currently running with VPN links between these sites (all branch offices are linked to HO), if domain trusts are established, would an admin on the branch office be able to view the active directory setup of the HO?... what does a domain trust actually achieve? ... i want to understand this in detail before i implement it any form.

I would also like to know how to establish domain trusts under Win2k3 if the above satisfies my query.


Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Scenarios, just an example:
How to create trust:
Note: you can start either on Domain1 or Domain2, the order of creation for the trust doesn't matter.
Domain-1         New Trust-->DNS or NetBIOS name of other domain-->External Trust-->Two-Way-->This Domain only-->Selective Authentication-->Trust Password-->No Need to confirm any trust at the moment

Domain-2         New Trust-->DNS or NetBIOS name of other domain-->Two-Way-->This Domain only-->Selective Authentication-->Trust Password-->No Need to confirm any trust at the moment

Note: Selective authentication above is just an example, you can also do domain-wide authentication.
If you want to create trust but do not wish to open all your servers and workstations for users in other domain by default, configure with Selective authentication.
If you want to create trust and wish to allow users from other domain to access any resources opened to "everyone" or "authenticated users" group by default, configure with Domain-wide authentication.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
BTW, if you create trust with Domain-Wide authentication, by default, any domain user account can view AD object and most of the configuration via the ADUC.
To manage one domain from aother domain, the user account or the domain admins group must be added to the Domain Local Administrators group of the other domain. Without being a member of the Domain Local Administrators group, you cannot manage the AD of another trusted domain.
This means Domain1 Admins want to manage Domain2, Domain1 Admins group needs be a member of the Domain2 Local Administrators group. However, this does not mean that Domain1 Admins can manage all servers/workstations by default. In other to manage all resources in Domain2 AD, you need to add the Domain1 Admins group to all Servers and workstations' Local Administrators group or use another account that is a member of the domain Admins group of Domain2.
The primary reason for domain trust is allow user to access or manage resources on another domain without having to use an additional account. Other reasons allow admin to migrate resources from one domain to another.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.