[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

What type of domain trust should I use?

Posted on 2011-03-23
3
Medium Priority
?
425 Views
Last Modified: 2012-05-11
Good morning,

I'm looking for advice on creating some trusts. We have several stand alone satellite offices, each with their own Forest/Domain. In the past, there has been no real need for our domain to communicate with theirs. Each office has a virtual server (with a copy of their Active Directory) in our corporate data center where they back up their critical information using DFS over our MPLS network. In the data center, we are setting up a Citrix server environment with many of the applications that these offices use for Disaster Recovery Planning. If a divisional office has some kind of disaster, hardware failure, etc. we can publish these applications to their users. Right now, since the domains are all stand alone we would have to create a login account for each user at that office on the DataCenter domain to allow them to authenticate via Citrix. I'd like to create domain trusts between each office's domain and the data center to avoid this step.

Some of the domains are 2003 and some are 2008. The domain in the data center is 2008.

I'd like it to work something like this if possible:
Office1 and DataCenter trust each other - users from Office1 can authenticate to DataCenter
Office2 and DataCenter trust each other - users from Office2 can authenticate to DataCenter
Office1 and Office2 do not trust each other - users from Office1 cannot authenticate to Office2 and vice-versa

Any advice on which type of trust would accomplish this best?
0
Comment
Question by:ECSMcLean
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 12

Accepted Solution

by:
Navdeep earned 2000 total points
ID: 35200095
Office1 --External Forest Trust (One way)---DC

Office 2--- External Forest Trust(One Way)--DC

External Forest trusts are non transistive trusts so office 1 and office 2 will not trust each other

Additional as per your setup i don't think you need two way trust between the office1 and dc, although you can create two way trust as well
0
 
LVL 9

Expert Comment

by:binary_1001010
ID: 35200101
if  office 1 and office 2 not not under the same domain then you have to create external trust.

when you said office 1 can authenticate to datacenter, do you mean office 1 will access the resources in datacenter? then you need to create 1 way incoming(trusting) on office 1. same goes to office 2, create a 1 way create 1 way incoming(trusting).

if they are under the same domain, you need to perform naming suffux filtering.

see screenshot below.

http://windows-active-directory.net/MS.Press-MCSE.Self-Paced.Train/8403final/images/fig04_29_0.jpg

http://adopenstatic.com/images/resources/blog/Kerberos21.jpg
0
 

Author Closing Comment

by:ECSMcLean
ID: 35200123
Thanks! That was exactly what I was looking for.
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question