Solved

Creating a Trust relationship between two seperate somain

Posted on 2011-02-20
24
503 Views
Last Modified: 2012-05-11
I am trying to somehow create a trust or "connection" between two different domains. I have a VPN connection between them already.
I want to have location B users be able to access the shared resources on the server at location A. The two location are actually partnered companies but two seperate companies. Both domains are running Windows 2003 DC.  What is the best way to do this?
0
Comment
Question by:raffie613
  • 14
  • 9
24 Comments
 
LVL 7

Expert Comment

by:holthd
ID: 34940473
You will have to setup an External trust. In Domain A you initiate the establishment of a One-way trust (from B to A). When you get click Add to open the Trusting domain dialog you enter the FQDN of domain B. Next you share the trust secret/password with a Domain Admin in Domain B and have them establish the trust as well from their side.

More information:
http://technet.microsoft.com/en-us/library/bb727050.aspx
http://technet.microsoft.com/en-us/library/bb727062.aspx#E0RD0AA

-Daniel
0
 

Author Comment

by:raffie613
ID: 34940557
Daniel,
From which interface in AD can I initiate the trust?

Will this allow users from Domain B, to freely access resources on Domain A, even if they are on site at domain A for the day?
Thanks.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 34940700
Check if your DCs from both domains are able to ping each other. Then in each domain's DNS server configure Conditional Forwarders for those domains or create Stub DNS zones. AD is based on DNS and it will be necessary before you would be able to create trust relationship.

After that, open Active Directory Domains and Trusts management console and under "Trusts" tab create two-way trust. Then you will be able to grant users from domain A rights to the resources in domain B and vice-versa.

For that I strongly suggest creating in each domain Domain Local Groups and put there global groups from both domains for easier management.

How to create DNS Conditional Forwarders or Stub Zone you can check in attached guides.

If you have any other questions, do not hesitate to contact me.

Regards,
Krzysztof
DNS-conditional-forwarders.pdf
Configuring-Stub-zone.pdf
0
 

Author Comment

by:raffie613
ID: 34947106
Isiek,
Will users from Domain B that are physically visiting on location at domain A, be able to use their logon credential for domain B, to log in  at Domain A?
Thanks.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 34948986
No, they still have to log on to domain B but if you grant them NTFS permissions to network resources they would be able to access them. It could take some time for authentication, so you should consider placing in each domain one domain controller from other domain to shorten authentication time. In Example in domain A put domain's B DC and in domain B put domain's A DC. Configure appropriate Site and Subnet for that and everything would be fine.

Krzysztof
0
 

Author Comment

by:raffie613
ID: 34952191
Iseik:
What do you mean "grant them NTFS permissions to network resources"? Grant them NTFS permission from wheret?
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 34953378
When you have folders and files in domainA, you need to add on those folders/files porperties under "Security" tab, user accounts/group accounts from domainB to allow to access them .

Krzysztof
0
 

Author Comment

by:raffie613
ID: 34954069
ok,
So It will see the trusted domain in there.
I will try and let you know.
Thanks.
0
 

Author Comment

by:raffie613
ID: 34954136
Iseik:
regarding having users from domain B, be able to log onto Domain A while on site at Domain A, If I have a DC from domain B on site at location Domain A, then would the users from domain B, be able to log on while at Domain A?

Or is the only way, for me to create user accounts on Domain A for those users when they are on location at Domain A?
Thanks.
0
 
LVL 39

Accepted Solution

by:
Krzysztof Pytko earned 500 total points
ID: 34954152
Or is the only way, for me to create user accounts on Domain A for those users when they are on location at Domain A?

yup, that's the only way to log on to domainA. You have to have user in each domain if you want to log on there :)

Krzysztof
0
 

Author Comment

by:raffie613
ID: 34967271
Iseik:
But if I take a DC from domain B and put it in the physical location of Domain A, Then if a user from the physical location (office) of Domain B, should be able to log in to domain B, while physically being at location Domain A, since there is a Domain B DC on site, no? Won't the Domain B DC be able to authenticate him?
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 34967544
Yes of course :) because it will be part of an existing domain :) This will increase authentication time on site because authentication query doesn't have to use WAN link.

Krzysztof
0
 

Author Comment

by:raffie613
ID: 34967601
ok,
So in the Domain B DC, that will physically be on site at Domain A, what DNS server do I point it to? Or should I make it it's own primary DNS server since it will be doing authentication for any Domain B users?
Thanks.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 34967614
No no, create additional DC for domainB, make it as DNS and Global Catalog, to server all features on site. But during server set up process point to one of DNS servers for domainB. After DC promotion, point alternate DNS server to 127.0.0.1 (loopback interface)

Krzysztof
0
 

Author Comment

by:raffie613
ID: 34967680
what about DHCP? Do I need to have that configured on it once I move it to Domain A site? Or can the Domain A DHCP server privide addresses even though it is a different domain?

Also, what about IP address sceme? Do they need to be on  different subnets?
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 34967754
You can simply use DHCP of other domain. Configure only GPO for all clients to provide DNS suffix list for both domains.
Create new sites and subnets for those new DCs. That's all :)

Krzysztof
0
 

Author Comment

by:raffie613
ID: 34972351
"Configure only GPO for all clients to provide DNS suffix list for both domains.
Create new sites and subnets for those new DCs"

You lost me there. Create GPO on which DC? Where in GPO do I find an option to provide DNS suffix list?

Where do I create the new sites and subnets for the new DC (domain B on site at location of domain A)?

Thanks.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 34972529
OK, try with this guide.

Krzysztof
DNS-suffix-list.pdf
0
 

Author Comment

by:raffie613
ID: 35011180
ok , but I still do not know at which sites I should create the new sites and subnets for the new DC at?


Also, most users wanting to log in at location A while visiting from location B, have laptops with XP pro on them. If I do not want to spend the extra money on DC to place in each trusted site location for visiting users from other locations to be able to log on, AND I just create them a log on id at Domain A, how will the XP machine allow them to log into Domain A, when the machine is a member of the domain at location B? XP doesn't allow you to log on to two different domain, right?

Thanks.
0
 

Author Comment

by:raffie613
ID: 35011486
would it be easier to just put all these locations under one main domain forest? Is there a way to do that even though they currently exists in seperate domains?
Thanks.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 35024508
Yes of course, that's the most simple way and it's much more convenient in management :)
When you have two-way forest trust you can migrate one domain into another using Microsoft ADMT
http://www.microsoft.com/downloads/en/details.aspx?familyid=AE279D01-7DCA-413C-A9D2-B42DFB746059&displaylang=en

and read this good Microsoft guide about that process
http://www.microsoft.com/downloads/en/details.aspx?familyid=6D710919-1BA5-41CA-B2F3-C11BCB4857AF&displaylang=en

Users/Computers/Groups SID history will be saved and nobody would have problem with accessing resources.

Krzysztof
0
 

Author Comment

by:raffie613
ID: 35029966
ok,
but since they are really seperate companies, if we just do full trusts between them all, then what about the issue of, most users wanting to log in at location A while visiting from location B, have laptops with XP pro on them. If I do not want to spend the extra money on DC to place in each trusted site location for visiting users from other locations to be able to log on, AND I just create them a log on id at Domain A, how will the XP machine allow them to log into Domain A, when the machine is a member of the domain at location B? XP doesn't allow you to log on to two different domain, right?
Thanks.

0
 

Author Comment

by:raffie613
ID: 35030092
Krzysztof
I found this on the issue of XP login onto a trusted domain. This says that it CAN be done in a full trust.
It says I should start to see a drop down menu showing both trusted domains. I thought you said it was not possible to logon to a trusted domain and that I had to place a DC in each location for the visiting user to be able to logon?

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/XP/Q_26424660.html
0
 

Author Comment

by:raffie613
ID: 35087872
Krzysztof
Anything on the XP situation?
thanks.
0

Join & Write a Comment

My last post dealt with using group policy preferences to set file associations, a very handy usage for a GPP. Today I am going to share another cool GPP trick, this may be a specific scenario but I run into these situations frequently in my activit…
I know all systems administrator at some time or another has had to create a script to copy file from a server share to a desktop. Well now there is an easy way to do this in Group Policy. Using Group policy preferences is not hard. The first thing …
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now