AD Trust direction question

kam_uk
kam_uk used Ask the Experts™
on
Hi

I'm trying to figure out the directions of AD trusts.

There are two domains, in two seperate forests, that exist.

Domain 1 is London.
Domain 2 is Canada.

There is a VPN link between them, so networking and comms is not a problem.

Users in London need to access resources (e.g. a file share) in Canada. There is no reason for resources in Canada to access resources in London.

In which direction does the trust need to be? I just can't get my head round it :(
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
A trust link determines who trusts who, not who acess who.  So your resource domain needs to trust your user domain.  The domain with the resources that people are trying to access, needs to trust the domain that holds those users.
So in your case, Canada needs to trust London.  I hope it's making sense now.
Most Valuable Expert 2018
Distinguished Expert 2018
Commented:
It's actually not that difficult.
In a trust, you always have a "resource" domain (the domain in which the resources are hosted) and an "account" domain (in which the users are authenticated).
That obviously means that the "resource" domain has to "trust" the "account" domain, because it has to allow accounts the resource domain actually doesn't know to access its resources.
In other words: the "resource" domain is always the "trusting" domain, the account domain the "trusted" domain.
The trust is always "going out" from the trusting, resource, domain (and accordingly "coming in" to the trusted, account, domain).
In your case: Canada is the resource (trusting) domain, London is the account (trusted) domain. That means you need to create an outgoing trust in Canada and an incoming in London.

Author

Commented:
Thanks guys - makes it all clearer.

Just one question:

Why is it referred to as an OUTGOING trust in Canada, and an INCOMING trust in London?
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Most Valuable Expert 2018
Distinguished Expert 2018

Commented:
Look at it this way: if you trust someone, then this trust has to "go out" from you; just because someone else says "trust me" doesn't mean you actually do. Something that goes out usually needs to come back in somewhere (like RX/TX signals in a network cable), so a trust is "outgoing" from you, and "incoming" for the person you're trusting.
Canada trusts London to do the user authentication for them, so the trust is "outgoing" from Canada and "incoming" in London.

Author

Commented:
Hi Guys

Thanks...I think I'm getting it.

Ok, so back to the Canada/ London example. London users need to access to file share in Canada.

Let's say London\User1 wants to access the file share, Share1.

How does this exactly work? Which DC does User1 authenticate to, and how does that DC know who has rights on Share1?
Most Valuable Expert 2018
Distinguished Expert 2018

Commented:
Once the trust is built, you'll be able to pick users/groups from the London domain when assigning permissions in Canada.
That's where AGDLP (http://en.wikipedia.org/wiki/AGDLP) comes into play: if permissions are currently assigned to domain local groups in Canada, you can just add global groups from London to the necessary DL groups in Canada.
If permissions are currently assigned to global groups, you'll either have to add/replace them with domain local groups, or add the global groups from London to the resource permissions in Canada.

Author

Commented:
Thanks...and = last question - which DC is responsible for the actual authentication? Is it a DC in London - and, if so - any particular one (PDC etc)?.....and is the authentication kerberos or NTLM?
Most Valuable Expert 2018
Distinguished Expert 2018

Commented:
A user is always and can only be authenticated by a (any) DC of the domain of which he is a member of. It's the usual AD authentication, so Kerberos.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial