Solved

Active directory Domain trusts relationship question

Posted on 2012-04-02
7
621 Views
Last Modified: 2012-06-16
Hello -
Having a complicates dilemma with AD environment here.   I'm sitting in US in company.com Corporate domain. I am not managing this internal AD, corporate IT does that.
 I am managing three outside customer facing domains comanyUS.int, companyUK.int and companyDE.int  They are completely separate and being hosted outside data centers given countries.
I would like to centralize and manage all from one company.com domain for the reasons of dual authentication and policies.  So users will know only one login users@company.com and manage security from there.  Change passwords policies, group policies, etc.  Make it more solid and secure.

What's the best way to accomplish that?  Technologically and politically?  IT won't give me access to theit AD and I don't really want to and they don't want to manage it either. Can it be segregated to a subdomain per OU or something?  Or migrate into one forest? or what?  Currently there is only on way trust from .com to outide .int domains.
Please advice.
0
Comment
Question by:Tiras25
  • 3
  • 3
7 Comments
 
LVL 24

Accepted Solution

by:
MojoTech earned 125 total points
Comment Utility
Each domain is an administrative boundary so so long as you have multiple domains you will probably be administering them separately which may satisfy people, although in the context of domains in a forest the forest is the security boundary, so you can make some things easier but you can still have a definable administrative boundary which might solve the political issues, but these domain would subordinate to any root and who would be looking after that? and would the persons responsible for those child domain be happy being subordinate to the enterprise do they even want trusts configured would they be OK leaving the schema in the hands of another?

This sort of intergeneration really needs to come from the top (CEO/Director) because they are the ones who can MAKE people do as they are told, this is also usually lead y a need for the company to stream line and work better together so the IT side does not always lead the way but is a consequence of a corporate shake up.
0
 
LVL 26

Assisted Solution

by:Leon Fester
Leon Fester earned 375 total points
Comment Utility
I fully agree with MojoTech...
especially the part about CEO buy-in and making informed decisions.

While it may make your life easier by having a trust, you're also exposing all your domains if one of them is compromised.

We have two hosted datacenters running mirrored applications/server and everything with intersite data replication for redundancy and high availability.
Yet we run each datacenter with their own domains/logins etc. for the exact reason mentioned above.

Your response to this kind of setup is to keep your datacenter design and configuration mirrored so that you can setup a policy/apply a fix to one datacenter....and then do the exact same to the others.

Specific control can be achieved through effective use of your Group Policies which are exportable.

Oh yeah, don't forget to check the contract and other legal requirements for compliance to see if you administer these domains like this.
The EU countries have some strict rules re: privacy, data retention and cross-border data movements.

Your Company could find itself on the receiving end of a lawsuit if something goes wrong and yourself out of a job.
I've seen this happen before.
This just re-enforces what MojoTech said.
0
 
LVL 17

Author Comment

by:Tiras25
Comment Utility
Thank you both.  So if I want them to be in one forest does that mean the migration needs to be performed from client facing .int domains to .com corporate domain?
Any other way to go around this?
Currently there is a one-way trust from .com to .int domains.
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 26

Assisted Solution

by:Leon Fester
Leon Fester earned 375 total points
Comment Utility
You say you're not managing company.com...so how are you going to manage the domains after you've migrated from .int to .com?

The fact that there is a one-way trust already tells me that they don't want to allow access from the remote domains.
Currently, if the .int domain was compromised, then the trust would block remote access to your .com domain.

But to answer your question, yes, you migrate from .int to .com.
Since you don't administer the .com domain, you may wish to create an entirely new forest, with a root domain and then migrate the .int domains as child domains.
You can then achieve centralized administration and user and resource segregation by using your root domain as a user domain and the child domains will then be resource domains with only computer accounts.
0
 
LVL 17

Author Comment

by:Tiras25
Comment Utility
Thanks again, dvt! You're right, I won't be able to push IT tto manage additional 3 domains for me.  They are busy enough with .com corporate one.  

So if I to create an entirely new forest that will be a new root domain and new logins for all the users. That would be a challenge also for all the external users.  
Is there other way to segregate this?

Otherwise I will be stick into exporting/importing group policies as a part of security managements.  Changing passwords, etc.
0
 
LVL 26

Assisted Solution

by:Leon Fester
Leon Fester earned 375 total points
Comment Utility
Your biggest challange will be getting users to manage their new credentials.
While us "techies" are quite used to having multiple accounts and logging into various systems will a millions passwords to remember, you'll find the normal users hate that.
And you don't want your users upset, because their bosses will call your bosses and your bossess will call your manager and your manager will...you get the picture.
Long story short....unneccessary.

Here's a high level overview of the actions required.

1. get hardware for new foret: at least 1x DC for each domain,(root+3 child = 4) actually you'd want 2x DC's at the end, but you can start with 1 each.
2. get new IP's and Subnets defind and routed
3. get Server licences
4. Build forest
5. Setup security and GPO's on new domain
TEST!TEST!TEST!
6. Setup user accounts
7. Learn how to use ADMT
TEST!TEST!TEST!
8. Arrange downtime/training/testing with each datacenter
9. Migrate old domains using ADMT
TEST!TEST!TEST!
10. Decommisions old domains/reprovission old hardware
TEST!TEST!TEST!

And that's not even starting with the politics.
What is your technical justification?
Is the amount of work and cost justifiable?
What about ROI?

If you can't answer any of those questions satisfactorily, you'll lose a lot of face to the rest of the IT teams. Management and techies.
Do you still want to go down this route?

You mentioned that you have the one-way trust.
A one-way trust is a unidirectional authentication path created between two domains. In a one-way trust between Domain A and Domain B, users in Domain A can access resources in Domain B. However, users in Domain B cannot access resources in Domain A. Some one-way trusts can be either nontransitive or transitive depending on the type of trust being created.
http://technet.microsoft.com/en-us/library/cc773178(v=ws.10).aspx

Confirm the direction of the trust.
If it IS .com to .int then you should already be able to provide users accounts from .com the neccessary permissions to access .int domain.

Read the following to get an understanding of providing cross-domain permissions.
http://ss64.com/nt/syntax-groups.html
0
 
LVL 17

Author Comment

by:Tiras25
Comment Utility
Sorry for the delay on this.  Still looking into the options for this.
0

Featured Post

Shouldn't all users have the same email signature?

You wouldn't let your users design their own business cards, would you? So, why do you let them design their own email signatures? Think of the damage they could be doing to your brand reputation! Choose the easy way to manage set up and add email signatures for all users.

Join & Write a Comment

Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
Resolve DNS query failed errors for Exchange
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now