Active directory Domain trusts relationship question

Posted on 2012-04-02
Last Modified: 2012-06-16
Hello -
Having a complicates dilemma with AD environment here.   I'm sitting in US in Corporate domain. I am not managing this internal AD, corporate IT does that.
 I am managing three outside customer facing domains, and  They are completely separate and being hosted outside data centers given countries.
I would like to centralize and manage all from one domain for the reasons of dual authentication and policies.  So users will know only one login and manage security from there.  Change passwords policies, group policies, etc.  Make it more solid and secure.

What's the best way to accomplish that?  Technologically and politically?  IT won't give me access to theit AD and I don't really want to and they don't want to manage it either. Can it be segregated to a subdomain per OU or something?  Or migrate into one forest? or what?  Currently there is only on way trust from .com to outide .int domains.
Please advice.
Question by:Tiras25
  • 3
  • 3
LVL 24

Accepted Solution

Mike Thomas earned 125 total points
ID: 37799816
Each domain is an administrative boundary so so long as you have multiple domains you will probably be administering them separately which may satisfy people, although in the context of domains in a forest the forest is the security boundary, so you can make some things easier but you can still have a definable administrative boundary which might solve the political issues, but these domain would subordinate to any root and who would be looking after that? and would the persons responsible for those child domain be happy being subordinate to the enterprise do they even want trusts configured would they be OK leaving the schema in the hands of another?

This sort of intergeneration really needs to come from the top (CEO/Director) because they are the ones who can MAKE people do as they are told, this is also usually lead y a need for the company to stream line and work better together so the IT side does not always lead the way but is a consequence of a corporate shake up.
LVL 26

Assisted Solution

by:Leon Fester
Leon Fester earned 375 total points
ID: 37801866
I fully agree with MojoTech...
especially the part about CEO buy-in and making informed decisions.

While it may make your life easier by having a trust, you're also exposing all your domains if one of them is compromised.

We have two hosted datacenters running mirrored applications/server and everything with intersite data replication for redundancy and high availability.
Yet we run each datacenter with their own domains/logins etc. for the exact reason mentioned above.

Your response to this kind of setup is to keep your datacenter design and configuration mirrored so that you can setup a policy/apply a fix to one datacenter....and then do the exact same to the others.

Specific control can be achieved through effective use of your Group Policies which are exportable.

Oh yeah, don't forget to check the contract and other legal requirements for compliance to see if you administer these domains like this.
The EU countries have some strict rules re: privacy, data retention and cross-border data movements.

Your Company could find itself on the receiving end of a lawsuit if something goes wrong and yourself out of a job.
I've seen this happen before.
This just re-enforces what MojoTech said.
LVL 17

Author Comment

ID: 37803034
Thank you both.  So if I want them to be in one forest does that mean the migration needs to be performed from client facing .int domains to .com corporate domain?
Any other way to go around this?
Currently there is a one-way trust from .com to .int domains.
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

LVL 26

Assisted Solution

by:Leon Fester
Leon Fester earned 375 total points
ID: 37804928
You say you're not managing how are you going to manage the domains after you've migrated from .int to .com?

The fact that there is a one-way trust already tells me that they don't want to allow access from the remote domains.
Currently, if the .int domain was compromised, then the trust would block remote access to your .com domain.

But to answer your question, yes, you migrate from .int to .com.
Since you don't administer the .com domain, you may wish to create an entirely new forest, with a root domain and then migrate the .int domains as child domains.
You can then achieve centralized administration and user and resource segregation by using your root domain as a user domain and the child domains will then be resource domains with only computer accounts.
LVL 17

Author Comment

ID: 37807206
Thanks again, dvt! You're right, I won't be able to push IT tto manage additional 3 domains for me.  They are busy enough with .com corporate one.  

So if I to create an entirely new forest that will be a new root domain and new logins for all the users. That would be a challenge also for all the external users.  
Is there other way to segregate this?

Otherwise I will be stick into exporting/importing group policies as a part of security managements.  Changing passwords, etc.
LVL 26

Assisted Solution

by:Leon Fester
Leon Fester earned 375 total points
ID: 37809853
Your biggest challange will be getting users to manage their new credentials.
While us "techies" are quite used to having multiple accounts and logging into various systems will a millions passwords to remember, you'll find the normal users hate that.
And you don't want your users upset, because their bosses will call your bosses and your bossess will call your manager and your manager get the picture.
Long story short....unneccessary.

Here's a high level overview of the actions required.

1. get hardware for new foret: at least 1x DC for each domain,(root+3 child = 4) actually you'd want 2x DC's at the end, but you can start with 1 each.
2. get new IP's and Subnets defind and routed
3. get Server licences
4. Build forest
5. Setup security and GPO's on new domain
6. Setup user accounts
7. Learn how to use ADMT
8. Arrange downtime/training/testing with each datacenter
9. Migrate old domains using ADMT
10. Decommisions old domains/reprovission old hardware

And that's not even starting with the politics.
What is your technical justification?
Is the amount of work and cost justifiable?
What about ROI?

If you can't answer any of those questions satisfactorily, you'll lose a lot of face to the rest of the IT teams. Management and techies.
Do you still want to go down this route?

You mentioned that you have the one-way trust.
A one-way trust is a unidirectional authentication path created between two domains. In a one-way trust between Domain A and Domain B, users in Domain A can access resources in Domain B. However, users in Domain B cannot access resources in Domain A. Some one-way trusts can be either nontransitive or transitive depending on the type of trust being created.

Confirm the direction of the trust.
If it IS .com to .int then you should already be able to provide users accounts from .com the neccessary permissions to access .int domain.

Read the following to get an understanding of providing cross-domain permissions.
LVL 17

Author Comment

ID: 37867165
Sorry for the delay on this.  Still looking into the options for this.

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Originally published Booming numbers of freelancing professionals are changing the face of work. In the United States alone last year, the number of workers freelancing grew from 700,000 to 54 million, according to a Freelancers’…
A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question