dustaine
asked on
Creating a trust between two domains
I am in the process of setting up a trust between two separate domains. Traffic is already able to flow from domain to domain as I have a direct cable connecting the two core switches. This ability has been going on for a few months now. A few weeks ago I set up a stub zone in DNS on both sides. Thus far I have not seen any issues. I am about ready to implement the two way trust between the two. I have never done this and I really do not have anyone who can authoritatively ask questions of. I am not really sure what to expect when I turn the trust on. What should I see? What should I not see? What could go wrong? If something goes wrong, can I turn it off and go back to how it was until whatever issue is fixed?
For a little background, both sides are at a server 2008 2008 R2 level. I do not have any 2003 or later domain controllers. I do have users with accounts on both sides and I am running Exchange 2010 on both sides.
The process itself is simple enough and I do not really anticipate any issues, but not having anyone to talk to about it and doing something like this when it can be potentially problematic is a bit unnerving especially since it is joining two different live networks that controls two businesses.
Thanks in advance for any comments or suggestions.
I am basically following the following guide as well as technet and other articles on the subject.
http://www.misdivision.com/blog/how-to-create-a-trust-in-windows-server-2008-r2
For a little background, both sides are at a server 2008 2008 R2 level. I do not have any 2003 or later domain controllers. I do have users with accounts on both sides and I am running Exchange 2010 on both sides.
The process itself is simple enough and I do not really anticipate any issues, but not having anyone to talk to about it and doing something like this when it can be potentially problematic is a bit unnerving especially since it is joining two different live networks that controls two businesses.
Thanks in advance for any comments or suggestions.
I am basically following the following guide as well as technet and other articles on the subject.
http://www.misdivision.com/blog/how-to-create-a-trust-in-windows-server-2008-r2
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Sounds like you need a one way trust. Your domain does not trust the other domain, but the other domain trusts your domain.
This way groups and users in your domain can access files and apps in the other domain. You can administer both but the other administrator can only administer their own domain.
You can add admins from a trusted domain to domain admins group if you want
Make sure all your admin accounts are renamed (or disable the administrator account after creating another Administrator account with a different name for yourself).
This way groups and users in your domain can access files and apps in the other domain. You can administer both but the other administrator can only administer their own domain.
You can add admins from a trusted domain to domain admins group if you want
Make sure all your admin accounts are renamed (or disable the administrator account after creating another Administrator account with a different name for yourself).
Group scopes explained here:
http://technet.microsoft.com/en-us/library/cc755692(WS.10).aspx
http://technet.microsoft.com/en-us/library/cc755692(WS.10).aspx
ASKER
The trust itself can be two way, but I do not trust the one guy as he screws up a lot of stuff and I do not want him to have the full set of keys to the kingdom. Case in point, the virtual spam firewall had an issue and the first thing he starts doing is try to make changes in Exchange. When it comes to administrative abilities, All I want to allow him to do is add and modify accounts in Active directory. I do not want him to be able to do much more than that. The only problem is that I have not found a good guide for limiting admin permissions. This is something I want squared away prior to putting the trust in place. However, I would not think the admin account for domain a could log into the dc of domain b... one would have to know the account password or the admin account of domain a would have to have permissions on domain b would they not?
There is not a way to practically limit permissions.
What you do is take a powerless user and give them limited permissions to reset passwords and so on.
But you are right as long as the accounts have different names and the passwords are different and you don't put the other admin in your domain admins then he should not cause your too much trouble.
Here is an article which shows you how complicated revoking permissions is.
http://social.technet.microsoft.com/wiki/contents/articles/6477.how-to-view-or-delete-active-directory-delegated-permissions.aspx
And how to delegate very limited permissions
http://community.spiceworks.com/how_to/show/1464-how-to-delegate-password-reset-permissions-for-your-it-staff
What you do is take a powerless user and give them limited permissions to reset passwords and so on.
But you are right as long as the accounts have different names and the passwords are different and you don't put the other admin in your domain admins then he should not cause your too much trouble.
Here is an article which shows you how complicated revoking permissions is.
http://social.technet.microsoft.com/wiki/contents/articles/6477.how-to-view-or-delete-active-directory-delegated-permissions.aspx
And how to delegate very limited permissions
http://community.spiceworks.com/how_to/show/1464-how-to-delegate-password-reset-permissions-for-your-it-staff
ASKER