• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 430
  • Last Modified:

What type of domain trust should I use?

Good morning,

I'm looking for advice on creating some trusts. We have several stand alone satellite offices, each with their own Forest/Domain. In the past, there has been no real need for our domain to communicate with theirs. Each office has a virtual server (with a copy of their Active Directory) in our corporate data center where they back up their critical information using DFS over our MPLS network. In the data center, we are setting up a Citrix server environment with many of the applications that these offices use for Disaster Recovery Planning. If a divisional office has some kind of disaster, hardware failure, etc. we can publish these applications to their users. Right now, since the domains are all stand alone we would have to create a login account for each user at that office on the DataCenter domain to allow them to authenticate via Citrix. I'd like to create domain trusts between each office's domain and the data center to avoid this step.

Some of the domains are 2003 and some are 2008. The domain in the data center is 2008.

I'd like it to work something like this if possible:
Office1 and DataCenter trust each other - users from Office1 can authenticate to DataCenter
Office2 and DataCenter trust each other - users from Office2 can authenticate to DataCenter
Office1 and Office2 do not trust each other - users from Office1 cannot authenticate to Office2 and vice-versa

Any advice on which type of trust would accomplish this best?
1 Solution
Office1 --External Forest Trust (One way)---DC

Office 2--- External Forest Trust(One Way)--DC

External Forest trusts are non transistive trusts so office 1 and office 2 will not trust each other

Additional as per your setup i don't think you need two way trust between the office1 and dc, although you can create two way trust as well
if  office 1 and office 2 not not under the same domain then you have to create external trust.

when you said office 1 can authenticate to datacenter, do you mean office 1 will access the resources in datacenter? then you need to create 1 way incoming(trusting) on office 1. same goes to office 2, create a 1 way create 1 way incoming(trusting).

if they are under the same domain, you need to perform naming suffux filtering.

see screenshot below.


ECSMcLeanAuthor Commented:
Thanks! That was exactly what I was looking for.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free tool for managing users' photos in Office 365

Easily upload multiple users’ photos to Office 365. Manage them with an intuitive GUI and use handy built-in cropping and resizing options. Link photos with users based on Azure AD attributes. Free tool!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now