What type of domain trust should I use?
Good morning,
I'm looking for advice on creating some trusts. We have several stand alone satellite offices, each with their own Forest/Domain. In the past, there has been no real need for our domain to communicate with theirs. Each office has a virtual server (with a copy of their Active Directory) in our corporate data center where they back up their critical information using DFS over our MPLS network. In the data center, we are setting up a Citrix server environment with many of the applications that these offices use for Disaster Recovery Planning. If a divisional office has some kind of disaster, hardware failure, etc. we can publish these applications to their users. Right now, since the domains are all stand alone we would have to create a login account for each user at that office on the DataCenter domain to allow them to authenticate via Citrix. I'd like to create domain trusts between each office's domain and the data center to avoid this step.
Some of the domains are 2003 and some are 2008. The domain in the data center is 2008.
I'd like it to work something like this if possible:
Office1 and DataCenter trust each other - users from Office1 can authenticate to DataCenter
Office2 and DataCenter trust each other - users from Office2 can authenticate to DataCenter
Office1 and Office2 do not trust each other - users from Office1 cannot authenticate to Office2 and vice-versa
Any advice on which type of trust would accomplish this best?
I'm looking for advice on creating some trusts. We have several stand alone satellite offices, each with their own Forest/Domain. In the past, there has been no real need for our domain to communicate with theirs. Each office has a virtual server (with a copy of their Active Directory) in our corporate data center where they back up their critical information using DFS over our MPLS network. In the data center, we are setting up a Citrix server environment with many of the applications that these offices use for Disaster Recovery Planning. If a divisional office has some kind of disaster, hardware failure, etc. we can publish these applications to their users. Right now, since the domains are all stand alone we would have to create a login account for each user at that office on the DataCenter domain to allow them to authenticate via Citrix. I'd like to create domain trusts between each office's domain and the data center to avoid this step.
Some of the domains are 2003 and some are 2008. The domain in the data center is 2008.
I'd like it to work something like this if possible:
Office1 and DataCenter trust each other - users from Office1 can authenticate to DataCenter
Office2 and DataCenter trust each other - users from Office2 can authenticate to DataCenter
Office1 and Office2 do not trust each other - users from Office1 cannot authenticate to Office2 and vice-versa
Any advice on which type of trust would accomplish this best?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks! That was exactly what I was looking for.
when you said office 1 can authenticate to datacenter, do you mean office 1 will access the resources in datacenter? then you need to create 1 way incoming(trusting) on office 1. same goes to office 2, create a 1 way create 1 way incoming(trusting).
if they are under the same domain, you need to perform naming suffux filtering.
see screenshot below.
http://windows-active-directory.net/MS.Press-MCSE.Self-Paced.Train/8403final/images/fig04_29_0.jpg
http://adopenstatic.com/images/resources/blog/Kerberos21.jpg