Solved

Active directory Domain trusts relationship question

Posted on 2012-04-02
7
623 Views
Last Modified: 2012-06-16
Hello -
Having a complicates dilemma with AD environment here.   I'm sitting in US in company.com Corporate domain. I am not managing this internal AD, corporate IT does that.
 I am managing three outside customer facing domains comanyUS.int, companyUK.int and companyDE.int  They are completely separate and being hosted outside data centers given countries.
I would like to centralize and manage all from one company.com domain for the reasons of dual authentication and policies.  So users will know only one login users@company.com and manage security from there.  Change passwords policies, group policies, etc.  Make it more solid and secure.

What's the best way to accomplish that?  Technologically and politically?  IT won't give me access to theit AD and I don't really want to and they don't want to manage it either. Can it be segregated to a subdomain per OU or something?  Or migrate into one forest? or what?  Currently there is only on way trust from .com to outide .int domains.
Please advice.
0
Comment
Question by:Tiras25
  • 3
  • 3
7 Comments
 
LVL 24

Accepted Solution

by:
Mike Thomas earned 125 total points
ID: 37799816
Each domain is an administrative boundary so so long as you have multiple domains you will probably be administering them separately which may satisfy people, although in the context of domains in a forest the forest is the security boundary, so you can make some things easier but you can still have a definable administrative boundary which might solve the political issues, but these domain would subordinate to any root and who would be looking after that? and would the persons responsible for those child domain be happy being subordinate to the enterprise do they even want trusts configured would they be OK leaving the schema in the hands of another?

This sort of intergeneration really needs to come from the top (CEO/Director) because they are the ones who can MAKE people do as they are told, this is also usually lead y a need for the company to stream line and work better together so the IT side does not always lead the way but is a consequence of a corporate shake up.
0
 
LVL 26

Assisted Solution

by:Leon Fester
Leon Fester earned 375 total points
ID: 37801866
I fully agree with MojoTech...
especially the part about CEO buy-in and making informed decisions.

While it may make your life easier by having a trust, you're also exposing all your domains if one of them is compromised.

We have two hosted datacenters running mirrored applications/server and everything with intersite data replication for redundancy and high availability.
Yet we run each datacenter with their own domains/logins etc. for the exact reason mentioned above.

Your response to this kind of setup is to keep your datacenter design and configuration mirrored so that you can setup a policy/apply a fix to one datacenter....and then do the exact same to the others.

Specific control can be achieved through effective use of your Group Policies which are exportable.

Oh yeah, don't forget to check the contract and other legal requirements for compliance to see if you administer these domains like this.
The EU countries have some strict rules re: privacy, data retention and cross-border data movements.

Your Company could find itself on the receiving end of a lawsuit if something goes wrong and yourself out of a job.
I've seen this happen before.
This just re-enforces what MojoTech said.
0
 
LVL 17

Author Comment

by:Tiras25
ID: 37803034
Thank you both.  So if I want them to be in one forest does that mean the migration needs to be performed from client facing .int domains to .com corporate domain?
Any other way to go around this?
Currently there is a one-way trust from .com to .int domains.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 26

Assisted Solution

by:Leon Fester
Leon Fester earned 375 total points
ID: 37804928
You say you're not managing company.com...so how are you going to manage the domains after you've migrated from .int to .com?

The fact that there is a one-way trust already tells me that they don't want to allow access from the remote domains.
Currently, if the .int domain was compromised, then the trust would block remote access to your .com domain.

But to answer your question, yes, you migrate from .int to .com.
Since you don't administer the .com domain, you may wish to create an entirely new forest, with a root domain and then migrate the .int domains as child domains.
You can then achieve centralized administration and user and resource segregation by using your root domain as a user domain and the child domains will then be resource domains with only computer accounts.
0
 
LVL 17

Author Comment

by:Tiras25
ID: 37807206
Thanks again, dvt! You're right, I won't be able to push IT tto manage additional 3 domains for me.  They are busy enough with .com corporate one.  

So if I to create an entirely new forest that will be a new root domain and new logins for all the users. That would be a challenge also for all the external users.  
Is there other way to segregate this?

Otherwise I will be stick into exporting/importing group policies as a part of security managements.  Changing passwords, etc.
0
 
LVL 26

Assisted Solution

by:Leon Fester
Leon Fester earned 375 total points
ID: 37809853
Your biggest challange will be getting users to manage their new credentials.
While us "techies" are quite used to having multiple accounts and logging into various systems will a millions passwords to remember, you'll find the normal users hate that.
And you don't want your users upset, because their bosses will call your bosses and your bossess will call your manager and your manager will...you get the picture.
Long story short....unneccessary.

Here's a high level overview of the actions required.

1. get hardware for new foret: at least 1x DC for each domain,(root+3 child = 4) actually you'd want 2x DC's at the end, but you can start with 1 each.
2. get new IP's and Subnets defind and routed
3. get Server licences
4. Build forest
5. Setup security and GPO's on new domain
TEST!TEST!TEST!
6. Setup user accounts
7. Learn how to use ADMT
TEST!TEST!TEST!
8. Arrange downtime/training/testing with each datacenter
9. Migrate old domains using ADMT
TEST!TEST!TEST!
10. Decommisions old domains/reprovission old hardware
TEST!TEST!TEST!

And that's not even starting with the politics.
What is your technical justification?
Is the amount of work and cost justifiable?
What about ROI?

If you can't answer any of those questions satisfactorily, you'll lose a lot of face to the rest of the IT teams. Management and techies.
Do you still want to go down this route?

You mentioned that you have the one-way trust.
A one-way trust is a unidirectional authentication path created between two domains. In a one-way trust between Domain A and Domain B, users in Domain A can access resources in Domain B. However, users in Domain B cannot access resources in Domain A. Some one-way trusts can be either nontransitive or transitive depending on the type of trust being created.
http://technet.microsoft.com/en-us/library/cc773178(v=ws.10).aspx

Confirm the direction of the trust.
If it IS .com to .int then you should already be able to provide users accounts from .com the neccessary permissions to access .int domain.

Read the following to get an understanding of providing cross-domain permissions.
http://ss64.com/nt/syntax-groups.html
0
 
LVL 17

Author Comment

by:Tiras25
ID: 37867165
Sorry for the delay on this.  Still looking into the options for this.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OfficeMate Freezes on login or does not load after login credentials are input.
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

912 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now