Active directory Domain trusts relationship question

Hello -
Having a complicates dilemma with AD environment here.   I'm sitting in US in Corporate domain. I am not managing this internal AD, corporate IT does that.
 I am managing three outside customer facing domains, and  They are completely separate and being hosted outside data centers given countries.
I would like to centralize and manage all from one domain for the reasons of dual authentication and policies.  So users will know only one login and manage security from there.  Change passwords policies, group policies, etc.  Make it more solid and secure.

What's the best way to accomplish that?  Technologically and politically?  IT won't give me access to theit AD and I don't really want to and they don't want to manage it either. Can it be segregated to a subdomain per OU or something?  Or migrate into one forest? or what?  Currently there is only on way trust from .com to outide .int domains.
Please advice.
LVL 17
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mike ThomasConsultantCommented:
Each domain is an administrative boundary so so long as you have multiple domains you will probably be administering them separately which may satisfy people, although in the context of domains in a forest the forest is the security boundary, so you can make some things easier but you can still have a definable administrative boundary which might solve the political issues, but these domain would subordinate to any root and who would be looking after that? and would the persons responsible for those child domain be happy being subordinate to the enterprise do they even want trusts configured would they be OK leaving the schema in the hands of another?

This sort of intergeneration really needs to come from the top (CEO/Director) because they are the ones who can MAKE people do as they are told, this is also usually lead y a need for the company to stream line and work better together so the IT side does not always lead the way but is a consequence of a corporate shake up.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Leon FesterSenior Solutions ArchitectCommented:
I fully agree with MojoTech...
especially the part about CEO buy-in and making informed decisions.

While it may make your life easier by having a trust, you're also exposing all your domains if one of them is compromised.

We have two hosted datacenters running mirrored applications/server and everything with intersite data replication for redundancy and high availability.
Yet we run each datacenter with their own domains/logins etc. for the exact reason mentioned above.

Your response to this kind of setup is to keep your datacenter design and configuration mirrored so that you can setup a policy/apply a fix to one datacenter....and then do the exact same to the others.

Specific control can be achieved through effective use of your Group Policies which are exportable.

Oh yeah, don't forget to check the contract and other legal requirements for compliance to see if you administer these domains like this.
The EU countries have some strict rules re: privacy, data retention and cross-border data movements.

Your Company could find itself on the receiving end of a lawsuit if something goes wrong and yourself out of a job.
I've seen this happen before.
This just re-enforces what MojoTech said.
Tiras25Author Commented:
Thank you both.  So if I want them to be in one forest does that mean the migration needs to be performed from client facing .int domains to .com corporate domain?
Any other way to go around this?
Currently there is a one-way trust from .com to .int domains.
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Leon FesterSenior Solutions ArchitectCommented:
You say you're not managing how are you going to manage the domains after you've migrated from .int to .com?

The fact that there is a one-way trust already tells me that they don't want to allow access from the remote domains.
Currently, if the .int domain was compromised, then the trust would block remote access to your .com domain.

But to answer your question, yes, you migrate from .int to .com.
Since you don't administer the .com domain, you may wish to create an entirely new forest, with a root domain and then migrate the .int domains as child domains.
You can then achieve centralized administration and user and resource segregation by using your root domain as a user domain and the child domains will then be resource domains with only computer accounts.
Tiras25Author Commented:
Thanks again, dvt! You're right, I won't be able to push IT tto manage additional 3 domains for me.  They are busy enough with .com corporate one.  

So if I to create an entirely new forest that will be a new root domain and new logins for all the users. That would be a challenge also for all the external users.  
Is there other way to segregate this?

Otherwise I will be stick into exporting/importing group policies as a part of security managements.  Changing passwords, etc.
Leon FesterSenior Solutions ArchitectCommented:
Your biggest challange will be getting users to manage their new credentials.
While us "techies" are quite used to having multiple accounts and logging into various systems will a millions passwords to remember, you'll find the normal users hate that.
And you don't want your users upset, because their bosses will call your bosses and your bossess will call your manager and your manager get the picture.
Long story short....unneccessary.

Here's a high level overview of the actions required.

1. get hardware for new foret: at least 1x DC for each domain,(root+3 child = 4) actually you'd want 2x DC's at the end, but you can start with 1 each.
2. get new IP's and Subnets defind and routed
3. get Server licences
4. Build forest
5. Setup security and GPO's on new domain
6. Setup user accounts
7. Learn how to use ADMT
8. Arrange downtime/training/testing with each datacenter
9. Migrate old domains using ADMT
10. Decommisions old domains/reprovission old hardware

And that's not even starting with the politics.
What is your technical justification?
Is the amount of work and cost justifiable?
What about ROI?

If you can't answer any of those questions satisfactorily, you'll lose a lot of face to the rest of the IT teams. Management and techies.
Do you still want to go down this route?

You mentioned that you have the one-way trust.
A one-way trust is a unidirectional authentication path created between two domains. In a one-way trust between Domain A and Domain B, users in Domain A can access resources in Domain B. However, users in Domain B cannot access resources in Domain A. Some one-way trusts can be either nontransitive or transitive depending on the type of trust being created.

Confirm the direction of the trust.
If it IS .com to .int then you should already be able to provide users accounts from .com the neccessary permissions to access .int domain.

Read the following to get an understanding of providing cross-domain permissions.
Tiras25Author Commented:
Sorry for the delay on this.  Still looking into the options for this.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.