[Webinar] Streamline your web hosting managementRegister Today


Active directory Domain trusts relationship question

Posted on 2012-04-02
Medium Priority
Last Modified: 2012-06-16
Hello -
Having a complicates dilemma with AD environment here.   I'm sitting in US in company.com Corporate domain. I am not managing this internal AD, corporate IT does that.
 I am managing three outside customer facing domains comanyUS.int, companyUK.int and companyDE.int  They are completely separate and being hosted outside data centers given countries.
I would like to centralize and manage all from one company.com domain for the reasons of dual authentication and policies.  So users will know only one login users@company.com and manage security from there.  Change passwords policies, group policies, etc.  Make it more solid and secure.

What's the best way to accomplish that?  Technologically and politically?  IT won't give me access to theit AD and I don't really want to and they don't want to manage it either. Can it be segregated to a subdomain per OU or something?  Or migrate into one forest? or what?  Currently there is only on way trust from .com to outide .int domains.
Please advice.
Question by:Tiras25
  • 3
  • 3
LVL 24

Accepted Solution

Mike Thomas earned 500 total points
ID: 37799816
Each domain is an administrative boundary so so long as you have multiple domains you will probably be administering them separately which may satisfy people, although in the context of domains in a forest the forest is the security boundary, so you can make some things easier but you can still have a definable administrative boundary which might solve the political issues, but these domain would subordinate to any root and who would be looking after that? and would the persons responsible for those child domain be happy being subordinate to the enterprise do they even want trusts configured would they be OK leaving the schema in the hands of another?

This sort of intergeneration really needs to come from the top (CEO/Director) because they are the ones who can MAKE people do as they are told, this is also usually lead y a need for the company to stream line and work better together so the IT side does not always lead the way but is a consequence of a corporate shake up.
LVL 26

Assisted Solution

by:Leon Fester
Leon Fester earned 1500 total points
ID: 37801866
I fully agree with MojoTech...
especially the part about CEO buy-in and making informed decisions.

While it may make your life easier by having a trust, you're also exposing all your domains if one of them is compromised.

We have two hosted datacenters running mirrored applications/server and everything with intersite data replication for redundancy and high availability.
Yet we run each datacenter with their own domains/logins etc. for the exact reason mentioned above.

Your response to this kind of setup is to keep your datacenter design and configuration mirrored so that you can setup a policy/apply a fix to one datacenter....and then do the exact same to the others.

Specific control can be achieved through effective use of your Group Policies which are exportable.

Oh yeah, don't forget to check the contract and other legal requirements for compliance to see if you administer these domains like this.
The EU countries have some strict rules re: privacy, data retention and cross-border data movements.

Your Company could find itself on the receiving end of a lawsuit if something goes wrong and yourself out of a job.
I've seen this happen before.
This just re-enforces what MojoTech said.
LVL 17

Author Comment

ID: 37803034
Thank you both.  So if I want them to be in one forest does that mean the migration needs to be performed from client facing .int domains to .com corporate domain?
Any other way to go around this?
Currently there is a one-way trust from .com to .int domains.
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

LVL 26

Assisted Solution

by:Leon Fester
Leon Fester earned 1500 total points
ID: 37804928
You say you're not managing company.com...so how are you going to manage the domains after you've migrated from .int to .com?

The fact that there is a one-way trust already tells me that they don't want to allow access from the remote domains.
Currently, if the .int domain was compromised, then the trust would block remote access to your .com domain.

But to answer your question, yes, you migrate from .int to .com.
Since you don't administer the .com domain, you may wish to create an entirely new forest, with a root domain and then migrate the .int domains as child domains.
You can then achieve centralized administration and user and resource segregation by using your root domain as a user domain and the child domains will then be resource domains with only computer accounts.
LVL 17

Author Comment

ID: 37807206
Thanks again, dvt! You're right, I won't be able to push IT tto manage additional 3 domains for me.  They are busy enough with .com corporate one.  

So if I to create an entirely new forest that will be a new root domain and new logins for all the users. That would be a challenge also for all the external users.  
Is there other way to segregate this?

Otherwise I will be stick into exporting/importing group policies as a part of security managements.  Changing passwords, etc.
LVL 26

Assisted Solution

by:Leon Fester
Leon Fester earned 1500 total points
ID: 37809853
Your biggest challange will be getting users to manage their new credentials.
While us "techies" are quite used to having multiple accounts and logging into various systems will a millions passwords to remember, you'll find the normal users hate that.
And you don't want your users upset, because their bosses will call your bosses and your bossess will call your manager and your manager will...you get the picture.
Long story short....unneccessary.

Here's a high level overview of the actions required.

1. get hardware for new foret: at least 1x DC for each domain,(root+3 child = 4) actually you'd want 2x DC's at the end, but you can start with 1 each.
2. get new IP's and Subnets defind and routed
3. get Server licences
4. Build forest
5. Setup security and GPO's on new domain
6. Setup user accounts
7. Learn how to use ADMT
8. Arrange downtime/training/testing with each datacenter
9. Migrate old domains using ADMT
10. Decommisions old domains/reprovission old hardware

And that's not even starting with the politics.
What is your technical justification?
Is the amount of work and cost justifiable?
What about ROI?

If you can't answer any of those questions satisfactorily, you'll lose a lot of face to the rest of the IT teams. Management and techies.
Do you still want to go down this route?

You mentioned that you have the one-way trust.
A one-way trust is a unidirectional authentication path created between two domains. In a one-way trust between Domain A and Domain B, users in Domain A can access resources in Domain B. However, users in Domain B cannot access resources in Domain A. Some one-way trusts can be either nontransitive or transitive depending on the type of trust being created.

Confirm the direction of the trust.
If it IS .com to .int then you should already be able to provide users accounts from .com the neccessary permissions to access .int domain.

Read the following to get an understanding of providing cross-domain permissions.
LVL 17

Author Comment

ID: 37867165
Sorry for the delay on this.  Still looking into the options for this.

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
Native ability to set a user account password via AD GPO was removed because the passwords can be easily decrypted by any authenticated user in the domain. Microsoft recommends LAPS as a replacement and I have written an article that does something …
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Suggested Courses
Course of the Month7 days, 17 hours left to enroll

607 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question