Best A.D design – Child domain or one-way trust?

Posted on 2011-05-12
Medium Priority
Last Modified: 2012-05-11
We are designing a new production network for a new web facing customer application.  The network will have quite a few web servers in a DMZ which will need to communicate with various SQL clusters and other application servers on the internal network.  For ease of management all the servers will be part of a domain.  The servers in the DMZ need to do LDAP writes to the DMZ domain controllers so using read-only DCs won’t work.  Our options at this point are to configure two separate domains/forests, one for the DMZ and one for the internal network.  The other option is to configure the DMZ as a child-domain to the internal domain.  Microsoft recommends using the “isolated forest model” which uses two separate forests, one in the DMZ and one in the internal network.  A one-way trust would be established from the internal network to the DMZ.  This seems like it would work for us but my concern is account authentication from the DMZ back into the internal network.  There are specific accounts that the web servers use to connect to the SQL databases as well as to connect to other application servers.
Can accounts be created in a DMZ forest that can authenticate to servers on the internal network forest when there isn’t a two-way trust?  Would we be better suited to use a child-domain in the DMZ instead of two forests even though this isn’t Microsoft’s best practice?  I would like to use two forests and a one-way trust but I need to make sure the servers in the DMZ can still authenticate to internal systems before we start building out the infrastructure.
Any advice would be greatly appreciated – specifically if I can get communication to work from the DMZ to in internal network without a two-way trust.

All the domain controllers are Windows 2008 R2

Question by:steno1122
  • 2

Expert Comment

ID: 35747963

The one way trust scenario would work.   You would create a one-way outgoing trust to allow security principals to access your resource domain.

Think of it this way:

Your Trusting domain is your internal active directory. The trusted domain is the domain that contains the security principals that need access to your internal domain.

There are security implications to setting this up.  You need to make sure that the firewall is configured to support a external trust, setup the trust on both sides, and secure the trust using sid filter quaranting.

check out the following articles:


Author Comment

ID: 35748762
Thanks for the reply ActiveDirectoryman

So we should use and eternal trust instead of a forest level trust?  I thought external trusts were for establishing trusts with Windows 2000 and NT domains.  Would an external trust be the best solution even though both forests are Windows 2008 R2?


Accepted Solution

ActiveDirectoryman earned 2000 total points
ID: 35749036

With Server 2008 and 2008 R2 you can create a One-way or two-way Forest trust. You would want to create a one-way forest trust. For security purposes I would setup the trust for selective authentication or forest-wide authentication.  It is up to whether u want to use selective or forest-wide authentication.

create a forest trust   windows server 2003/2008/R2


Select the scope of authentication


Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A safe way to clean winsxs folder from your windows server 2008 R2 editions
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question