Best A.D design – Child domain or one-way trust?

Posted on 2011-05-12
Last Modified: 2012-05-11
We are designing a new production network for a new web facing customer application.  The network will have quite a few web servers in a DMZ which will need to communicate with various SQL clusters and other application servers on the internal network.  For ease of management all the servers will be part of a domain.  The servers in the DMZ need to do LDAP writes to the DMZ domain controllers so using read-only DCs won’t work.  Our options at this point are to configure two separate domains/forests, one for the DMZ and one for the internal network.  The other option is to configure the DMZ as a child-domain to the internal domain.  Microsoft recommends using the “isolated forest model” which uses two separate forests, one in the DMZ and one in the internal network.  A one-way trust would be established from the internal network to the DMZ.  This seems like it would work for us but my concern is account authentication from the DMZ back into the internal network.  There are specific accounts that the web servers use to connect to the SQL databases as well as to connect to other application servers.
Can accounts be created in a DMZ forest that can authenticate to servers on the internal network forest when there isn’t a two-way trust?  Would we be better suited to use a child-domain in the DMZ instead of two forests even though this isn’t Microsoft’s best practice?  I would like to use two forests and a one-way trust but I need to make sure the servers in the DMZ can still authenticate to internal systems before we start building out the infrastructure.
Any advice would be greatly appreciated – specifically if I can get communication to work from the DMZ to in internal network without a two-way trust.

All the domain controllers are Windows 2008 R2

Question by:steno1122
    LVL 8

    Expert Comment


    The one way trust scenario would work.   You would create a one-way outgoing trust to allow security principals to access your resource domain.

    Think of it this way:

    Your Trusting domain is your internal active directory. The trusted domain is the domain that contains the security principals that need access to your internal domain.

    There are security implications to setting this up.  You need to make sure that the firewall is configured to support a external trust, setup the trust on both sides, and secure the trust using sid filter quaranting.

    check out the following articles:

    Author Comment

    Thanks for the reply ActiveDirectoryman

    So we should use and eternal trust instead of a forest level trust?  I thought external trusts were for establishing trusts with Windows 2000 and NT domains.  Would an external trust be the best solution even though both forests are Windows 2008 R2?

    LVL 8

    Accepted Solution


    With Server 2008 and 2008 R2 you can create a One-way or two-way Forest trust. You would want to create a one-way forest trust. For security purposes I would setup the trust for selective authentication or forest-wide authentication.  It is up to whether u want to use selective or forest-wide authentication.

    create a forest trust   windows server 2003/2008/R2

    Select the scope of authentication

    Featured Post

    What Should I Do With This Threat Intelligence?

    Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

    Join & Write a Comment

    This article is in response to a question ( here at Experts Exchange. The Original Poster (OP) requires a utility that will accept a list of IP addresses …
    Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
    This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now