How to create a domain relationship for 2 different domains

Posted on 2010-01-11
Medium Priority
Last Modified: 2012-05-08
our company has 2 different sites and each site has a different doamin.
Both sites are connected via VPN, so I can reach the servers and workstations from the other site.

But now user A from site A travels to site B. But user A needs to be connected to the DC of site A.
And of course visa verse for the user B at site A.

How can I solve this issue ?
Question by:Eprs_Admin
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Accepted Solution

himvy earned 2000 total points
ID: 26286771

Expert Comment

ID: 26286980
different AD domains in the same AD forest or different AD forests?
if the first then DNS should already be setup and you could enhance authentication performanace by placing a local DC.
if the latter, then make sure, DNS is setup in a way so that the user's computer can find DCs for its own AD domain. If you want the user to be able to logon to a computer in AD domain B using the user account from AD domain A, then you need to setup a trust. Depending on the access directions, you need to configure a one-way or two-way trust
LVL 18

Expert Comment

ID: 26287282
Depending on your existing enviornment and what security restrictions are you looking at which will determine the type of trust(external or forest trust) recommended
But to share resource between two separate domains will first required trust.
If users between domains do not share PC, they do not have to logon to each other's machine.
If you have a lot of open shares configured on your file or apps server that you do not want any user from any domain to have access once trust is created, then you need to either configured external trust or close all your open shares first. Open shares meaning configiured to allow access for the everyone group or authenticated group.  
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

LVL 18

Expert Comment

ID: 26287374
Correction, the reason for external is because of security concern by default. What was mention regarding open shares was a different between selective authentication rather than external trust as the authentication method is availablein either external or forest trust

Expert Comment

ID: 26288820

As all others have said, you need a trust between the domains. A trust is nothing but a medium through which a user from another domain can authenticated in another domain. This happend with the help of TDO objects.
Please refer this to understand trusts and to know how to create them:



Author Comment

ID: 26290923

these both domains are completly seperatly installed with its own ADS.
So I think I have 2 different forests , correct ?
LVL 18

Expert Comment

ID: 26293191
Correct and in general the domain name has nothing to do with each other.
You can also verify if any trust is setup between these two domain by simply running the "Active Directory Domains and Trusts" and right click on the domain name and select properties then click on the tab Trust. Verify on both domains and see if any trust is created. This is where you also setup the trust.
So, if you don't find any trust configuration from either domain then there's your answer, you need to create trust before resources can be shared between the two domains.

Author Comment

ID: 26294785
Hi, I did it now. Thanks for the help.
I used the DNS instruction and the trust instaruction

Featured Post

Four New Appliances. Same Industry-leading Speeds.

But don't take it from us.  The Firebox M370 is Miercom tested and Miercom approved, outperforming its competitors for stateless and stateful traffic throughput scenarios.  Learn more about the M370, M470, M570 and M670 and find the right solution for your organization today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let's recap what we learned from yesterday's Skyport Systems webinar.
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question