Solved

Creating a trust between two domains

Posted on 2013-05-11
6
527 Views
Last Modified: 2013-05-20
I am in the process of setting up a trust between two separate domains.  Traffic is already able to flow from domain to domain as I have a direct cable connecting the two core switches.  This ability has been going on for a few months now.  A few weeks ago I set up a stub zone in DNS on both sides.  Thus far I have not seen any issues.  I am about ready to implement the two way trust between the two.  I have never done this and I really do not have anyone who can authoritatively ask questions of.  I am not really sure what to expect when I turn the trust on. What should I see? What should I not see? What could go wrong? If something goes wrong, can I turn it off and go back to how it was until whatever issue is fixed?

For a little background, both sides are at a server 2008 2008 R2 level.  I do not have any 2003 or later domain controllers.  I do have users with accounts on both sides and I am running Exchange 2010 on both sides.

The process itself is simple enough and I do not really anticipate any issues, but not having anyone to talk to about it and doing something like this when it can be potentially problematic is a bit unnerving especially since it is joining two different live networks that controls two businesses.

Thanks in advance for any comments or suggestions.

I am basically following the following guide as well as technet and other articles on the subject.

http://www.misdivision.com/blog/how-to-create-a-trust-in-windows-server-2008-r2
0
Comment
Question by:dustaine
  • 4
  • 2
6 Comments
 
LVL 16

Accepted Solution

by:
Carol Chisholm earned 500 total points
ID: 39158475
The trust will not affect your networking at all.

When you set up the trust, the users from one domain will be able to log in to the other and vice versa if a two way trust is set up.

You can set up a one way trust or a two way trust.
You can turn it off at any time in Active Directory Domains and Trusts.

If you don't have the everyone and authenticated users groups having permissions, but you have clearly defined access rights then the users from the other domain won't even be able to access files.

What you need to be clear about is forest and domain level access and those dangerous generic groups: everybody and authenticated users.

Authenticated users becomes anyone authenticated in a trusted domain.
0
 

Author Comment

by:dustaine
ID: 39158553
I am working towards eliminating "Everyone" and "Authenticated Users".  I am setting up groups on each domain and then once the trust is in place I will set up groups on one domain to access certain applications or files on the other domain.  I also want to lock down Administrator access across domains.  Right now I have access on both domains and I have an administrator on the other domain.  I assume, he will not have administrator access on both domains unless I grant him the permissions or give him the password. I really only want him to be able to reset passwords and nothing more on the one domain
0
 
LVL 16

Expert Comment

by:Carol Chisholm
ID: 39159186
Sounds like you need a one way trust. Your domain does not trust the other domain, but the other domain trusts your domain.
This way groups and users in your domain can access files and apps in the other domain. You can administer both but the other administrator can only administer their own domain.

You can add admins from a trusted domain to domain admins group if you want
Make sure all your admin accounts are renamed (or disable the administrator account after creating another Administrator account with a different name for yourself).
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 16

Expert Comment

by:Carol Chisholm
ID: 39159196
0
 

Author Comment

by:dustaine
ID: 39159558
The trust itself can be two way, but I do not trust the one guy as he screws up a lot of stuff and I do not want him to have the full set of keys to the kingdom. Case in point, the virtual spam firewall had an issue and the first thing he starts doing is try to make changes  in Exchange.  When it comes to administrative abilities, All I want to allow him to do is add and modify accounts  in Active directory. I do not want him to be able to do much more than that. The only problem is that I have not found a good guide for limiting admin permissions. This is something I want squared away prior to putting the trust in place. However, I would not think the admin account for domain a could log into the dc of domain b... one would have to know the account password or the admin account of domain a would have to have permissions on domain b would they not?
0
 
LVL 16

Expert Comment

by:Carol Chisholm
ID: 39159732
There is not a way to practically limit permissions.
What you do is take a powerless user and give them limited permissions to reset passwords and so on.
But you are right as long as the accounts have different names and the passwords are different and you don't put the other admin in your domain admins then he should not cause your too much trouble.

Here is an article which shows you how complicated revoking permissions is.

http://social.technet.microsoft.com/wiki/contents/articles/6477.how-to-view-or-delete-active-directory-delegated-permissions.aspx

And how to delegate very limited permissions
http://community.spiceworks.com/how_to/show/1464-how-to-delegate-password-reset-permissions-for-your-it-staff
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
OfficeMate Freezes on login or does not load after login credentials are input.
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now