Creating a trust between two domains

Posted on 2013-05-11
Last Modified: 2013-05-20
I am in the process of setting up a trust between two separate domains.  Traffic is already able to flow from domain to domain as I have a direct cable connecting the two core switches.  This ability has been going on for a few months now.  A few weeks ago I set up a stub zone in DNS on both sides.  Thus far I have not seen any issues.  I am about ready to implement the two way trust between the two.  I have never done this and I really do not have anyone who can authoritatively ask questions of.  I am not really sure what to expect when I turn the trust on. What should I see? What should I not see? What could go wrong? If something goes wrong, can I turn it off and go back to how it was until whatever issue is fixed?

For a little background, both sides are at a server 2008 2008 R2 level.  I do not have any 2003 or later domain controllers.  I do have users with accounts on both sides and I am running Exchange 2010 on both sides.

The process itself is simple enough and I do not really anticipate any issues, but not having anyone to talk to about it and doing something like this when it can be potentially problematic is a bit unnerving especially since it is joining two different live networks that controls two businesses.

Thanks in advance for any comments or suggestions.

I am basically following the following guide as well as technet and other articles on the subject.
Question by:dustaine
  • 4
  • 2
LVL 16

Accepted Solution

Carol Chisholm earned 500 total points
ID: 39158475
The trust will not affect your networking at all.

When you set up the trust, the users from one domain will be able to log in to the other and vice versa if a two way trust is set up.

You can set up a one way trust or a two way trust.
You can turn it off at any time in Active Directory Domains and Trusts.

If you don't have the everyone and authenticated users groups having permissions, but you have clearly defined access rights then the users from the other domain won't even be able to access files.

What you need to be clear about is forest and domain level access and those dangerous generic groups: everybody and authenticated users.

Authenticated users becomes anyone authenticated in a trusted domain.

Author Comment

ID: 39158553
I am working towards eliminating "Everyone" and "Authenticated Users".  I am setting up groups on each domain and then once the trust is in place I will set up groups on one domain to access certain applications or files on the other domain.  I also want to lock down Administrator access across domains.  Right now I have access on both domains and I have an administrator on the other domain.  I assume, he will not have administrator access on both domains unless I grant him the permissions or give him the password. I really only want him to be able to reset passwords and nothing more on the one domain
LVL 16

Expert Comment

by:Carol Chisholm
ID: 39159186
Sounds like you need a one way trust. Your domain does not trust the other domain, but the other domain trusts your domain.
This way groups and users in your domain can access files and apps in the other domain. You can administer both but the other administrator can only administer their own domain.

You can add admins from a trusted domain to domain admins group if you want
Make sure all your admin accounts are renamed (or disable the administrator account after creating another Administrator account with a different name for yourself).
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

LVL 16

Expert Comment

by:Carol Chisholm
ID: 39159196

Author Comment

ID: 39159558
The trust itself can be two way, but I do not trust the one guy as he screws up a lot of stuff and I do not want him to have the full set of keys to the kingdom. Case in point, the virtual spam firewall had an issue and the first thing he starts doing is try to make changes  in Exchange.  When it comes to administrative abilities, All I want to allow him to do is add and modify accounts  in Active directory. I do not want him to be able to do much more than that. The only problem is that I have not found a good guide for limiting admin permissions. This is something I want squared away prior to putting the trust in place. However, I would not think the admin account for domain a could log into the dc of domain b... one would have to know the account password or the admin account of domain a would have to have permissions on domain b would they not?
LVL 16

Expert Comment

by:Carol Chisholm
ID: 39159732
There is not a way to practically limit permissions.
What you do is take a powerless user and give them limited permissions to reset passwords and so on.
But you are right as long as the accounts have different names and the passwords are different and you don't put the other admin in your domain admins then he should not cause your too much trouble.

Here is an article which shows you how complicated revoking permissions is.

And how to delegate very limited permissions

Featured Post

Scale it in WD Gold

With up to ten times the workload capacity of desktop drives, WD Gold hard drives employ advanced technology to deliver among the best in reliability, capacity, power efficiency and performance.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are thinking of adopting cloud services, or just curious as to what ‘the cloud’ can offer then the leader according to Gartner for Infrastructure as a Service (IaaS) is Amazon Web Services (AWS).  When I started using AWS I was completely new…
New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now