• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 436
  • Last Modified:

What type of domain trust should I use?

Good morning,

I'm looking for advice on creating some trusts. We have several stand alone satellite offices, each with their own Forest/Domain. In the past, there has been no real need for our domain to communicate with theirs. Each office has a virtual server (with a copy of their Active Directory) in our corporate data center where they back up their critical information using DFS over our MPLS network. In the data center, we are setting up a Citrix server environment with many of the applications that these offices use for Disaster Recovery Planning. If a divisional office has some kind of disaster, hardware failure, etc. we can publish these applications to their users. Right now, since the domains are all stand alone we would have to create a login account for each user at that office on the DataCenter domain to allow them to authenticate via Citrix. I'd like to create domain trusts between each office's domain and the data center to avoid this step.

Some of the domains are 2003 and some are 2008. The domain in the data center is 2008.

I'd like it to work something like this if possible:
Office1 and DataCenter trust each other - users from Office1 can authenticate to DataCenter
Office2 and DataCenter trust each other - users from Office2 can authenticate to DataCenter
Office1 and Office2 do not trust each other - users from Office1 cannot authenticate to Office2 and vice-versa

Any advice on which type of trust would accomplish this best?
0
ECSMcLean
Asked:
ECSMcLean
1 Solution
 
NavdeepCommented:
Office1 --External Forest Trust (One way)---DC

Office 2--- External Forest Trust(One Way)--DC

External Forest trusts are non transistive trusts so office 1 and office 2 will not trust each other

Additional as per your setup i don't think you need two way trust between the office1 and dc, although you can create two way trust as well
0
 
binary_1001010Commented:
if  office 1 and office 2 not not under the same domain then you have to create external trust.

when you said office 1 can authenticate to datacenter, do you mean office 1 will access the resources in datacenter? then you need to create 1 way incoming(trusting) on office 1. same goes to office 2, create a 1 way create 1 way incoming(trusting).

if they are under the same domain, you need to perform naming suffux filtering.

see screenshot below.

http://windows-active-directory.net/MS.Press-MCSE.Self-Paced.Train/8403final/images/fig04_29_0.jpg

http://adopenstatic.com/images/resources/blog/Kerberos21.jpg
0
 
ECSMcLeanAuthor Commented:
Thanks! That was exactly what I was looking for.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now