• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 558
  • Last Modified:

Creating a trust between two domains

I am in the process of setting up a trust between two separate domains.  Traffic is already able to flow from domain to domain as I have a direct cable connecting the two core switches.  This ability has been going on for a few months now.  A few weeks ago I set up a stub zone in DNS on both sides.  Thus far I have not seen any issues.  I am about ready to implement the two way trust between the two.  I have never done this and I really do not have anyone who can authoritatively ask questions of.  I am not really sure what to expect when I turn the trust on. What should I see? What should I not see? What could go wrong? If something goes wrong, can I turn it off and go back to how it was until whatever issue is fixed?

For a little background, both sides are at a server 2008 2008 R2 level.  I do not have any 2003 or later domain controllers.  I do have users with accounts on both sides and I am running Exchange 2010 on both sides.

The process itself is simple enough and I do not really anticipate any issues, but not having anyone to talk to about it and doing something like this when it can be potentially problematic is a bit unnerving especially since it is joining two different live networks that controls two businesses.

Thanks in advance for any comments or suggestions.

I am basically following the following guide as well as technet and other articles on the subject.

http://www.misdivision.com/blog/how-to-create-a-trust-in-windows-server-2008-r2
0
dustaine
Asked:
dustaine
  • 4
  • 2
1 Solution
 
Carol ChisholmCommented:
The trust will not affect your networking at all.

When you set up the trust, the users from one domain will be able to log in to the other and vice versa if a two way trust is set up.

You can set up a one way trust or a two way trust.
You can turn it off at any time in Active Directory Domains and Trusts.

If you don't have the everyone and authenticated users groups having permissions, but you have clearly defined access rights then the users from the other domain won't even be able to access files.

What you need to be clear about is forest and domain level access and those dangerous generic groups: everybody and authenticated users.

Authenticated users becomes anyone authenticated in a trusted domain.
0
 
dustaineAuthor Commented:
I am working towards eliminating "Everyone" and "Authenticated Users".  I am setting up groups on each domain and then once the trust is in place I will set up groups on one domain to access certain applications or files on the other domain.  I also want to lock down Administrator access across domains.  Right now I have access on both domains and I have an administrator on the other domain.  I assume, he will not have administrator access on both domains unless I grant him the permissions or give him the password. I really only want him to be able to reset passwords and nothing more on the one domain
0
 
Carol ChisholmCommented:
Sounds like you need a one way trust. Your domain does not trust the other domain, but the other domain trusts your domain.
This way groups and users in your domain can access files and apps in the other domain. You can administer both but the other administrator can only administer their own domain.

You can add admins from a trusted domain to domain admins group if you want
Make sure all your admin accounts are renamed (or disable the administrator account after creating another Administrator account with a different name for yourself).
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
Carol ChisholmCommented:
0
 
dustaineAuthor Commented:
The trust itself can be two way, but I do not trust the one guy as he screws up a lot of stuff and I do not want him to have the full set of keys to the kingdom. Case in point, the virtual spam firewall had an issue and the first thing he starts doing is try to make changes  in Exchange.  When it comes to administrative abilities, All I want to allow him to do is add and modify accounts  in Active directory. I do not want him to be able to do much more than that. The only problem is that I have not found a good guide for limiting admin permissions. This is something I want squared away prior to putting the trust in place. However, I would not think the admin account for domain a could log into the dc of domain b... one would have to know the account password or the admin account of domain a would have to have permissions on domain b would they not?
0
 
Carol ChisholmCommented:
There is not a way to practically limit permissions.
What you do is take a powerless user and give them limited permissions to reset passwords and so on.
But you are right as long as the accounts have different names and the passwords are different and you don't put the other admin in your domain admins then he should not cause your too much trouble.

Here is an article which shows you how complicated revoking permissions is.

http://social.technet.microsoft.com/wiki/contents/articles/6477.how-to-view-or-delete-active-directory-delegated-permissions.aspx

And how to delegate very limited permissions
http://community.spiceworks.com/how_to/show/1464-how-to-delegate-password-reset-permissions-for-your-it-staff
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now