?
Solved

Domain Trusts

Posted on 2011-10-20
7
Medium Priority
?
323 Views
Last Modified: 2013-12-02
I am looking into how AD replication (read/write) and other changes to AD and DCs work and the use of resources in the existing domain by the new domain.
If I created a seperate domain and established a trust between my existing domain and the new domain would objects and AD changes created in the new domain be replicated to the existing domain? Would objects and AD changes created be replicated if the new domain was a child domain of the existing domain?

If the existing domain had a CA would the new domain be able to utilise this CA? same question, if the new domain was a child domain?

Also, is it possible (for either seperate domain or child domain) to use the same internet connection as the existing domain? given that the domains are seperated by VLANS or a completely seperate network hardware that are connected together.

thanks in advance
0
Comment
Question by:Marius Gunnerud
  • 4
  • 3
7 Comments
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36998488
OK, let's start from beginning :)

If you have single forest with many domains then trusts are created automatically during child domain creation by parent domain. This is two-way transitive trust. All resources are available to users in each domain (files/folders, AD database to browse) but objects are not replicated between domains. Each domain has its own AD database and trust allows only to send authentication requests between them. That's all. If you have CA installed in one of them then, yes, you can use root certificate in other domains to grant access to resources secured by certificates from that domain.

When you have two or more forest with domains then you have to do trust between forest manually. Depends on your Forest Functional Level, you can create trust which has some advantages over lower version. For 2003 and above FFL, you can create two-way transitive trusts. But creating trust manually, you can also specify it as one-way incoming/outgoing trust.

Hope it clarifies it a liitle bit :) If you have more questions do not hesitate to ask

Regards,
Krzysztof
0
 
LVL 17

Author Comment

by:Marius Gunnerud
ID: 36998549
Interesting! Ok, but lest say that changes are made to group policies? same thing, that it is not replicated? What about changes to schema?

Also, do you know if it is possible to set up two domains (be it parent/child or two completely seperate domains with a trust relationship) on the same network infrasturcture, but completely seperated by use of VLAN or firewall..etc. and that they share the same internet connection?

thank you for your help!!!
0
 
LVL 39

Accepted Solution

by:
Krzysztof Pytko earned 1000 total points
ID: 36998601
You're welcome :)
OK, GPOs are replicated between all Domain Controllers WITHIN the same domain. That means you cannot replicate and set up GPOs from one domain in another. Of course it's possible to extract them, modify accordingly to the new domain and then import them to use.

Schema. Depends on scenario :]

1) One forest many domains
Schema is unique for entire forest. That means when you change schema, it's replicated to all DCs within forest and all its features are available in each domain

2) Two forests or more
Each forest has its own schema and those attributes are not replicated between forests' schema. They are applied only to those domains which are members of forest root domain

and the last step. Yes, it's possible but I've never done this before :) One problem I can see is that SMTP (TCP/25 port) for mail system redirection between 2 different forests/domains and (TCP 80/443) for WWW when IIS is used

Krzysztof
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
LVL 17

Author Comment

by:Marius Gunnerud
ID: 36998654
Sorry one more post and I think things are clear for me :D

What is included in the Schema?  What would be an example of something that someone would change in the schema...if at all this would happen.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36998712
Schema contains definition of each object with its attributes. In example: When you create new user within ADUC, then that DC contains read-only schema on it and uses user class to create user.

So, schema modification (the most common scenario) is for advertising new AD objects/features when you run ADPREP for new operating system to be able to use it as Domain Controller.

Another option is to use custom schema attributes for some 3rd party application (i.e. Novell  Single Sign-on) It requires Schema modification to populate new objects and attributes to be able to use it.

Hope it's clear enough and I didn't mess that :)

Krzysztof
0
 
LVL 17

Author Comment

by:Marius Gunnerud
ID: 36998873
Thanks that did clear some of it up.

Been a big help
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36998896
You're welcome :)

Krzysztof
0

Featured Post

Free recovery tool for Microsoft Active Directory

Veeam Explorer for Microsoft Active Directory provides fast and reliable object-level recovery for Active Directory from a single-pass, agentless backup or storage snapshot — without the need to restore an entire virtual machine or use third-party tools.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Suggested Courses

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question