Creating a trust between two domains

Posted on 2013-05-11
Last Modified: 2013-05-20
I am in the process of setting up a trust between two separate domains.  Traffic is already able to flow from domain to domain as I have a direct cable connecting the two core switches.  This ability has been going on for a few months now.  A few weeks ago I set up a stub zone in DNS on both sides.  Thus far I have not seen any issues.  I am about ready to implement the two way trust between the two.  I have never done this and I really do not have anyone who can authoritatively ask questions of.  I am not really sure what to expect when I turn the trust on. What should I see? What should I not see? What could go wrong? If something goes wrong, can I turn it off and go back to how it was until whatever issue is fixed?

For a little background, both sides are at a server 2008 2008 R2 level.  I do not have any 2003 or later domain controllers.  I do have users with accounts on both sides and I am running Exchange 2010 on both sides.

The process itself is simple enough and I do not really anticipate any issues, but not having anyone to talk to about it and doing something like this when it can be potentially problematic is a bit unnerving especially since it is joining two different live networks that controls two businesses.

Thanks in advance for any comments or suggestions.

I am basically following the following guide as well as technet and other articles on the subject.
Question by:dustaine
  • 4
  • 2
LVL 16

Accepted Solution

Carol Chisholm earned 500 total points
ID: 39158475
The trust will not affect your networking at all.

When you set up the trust, the users from one domain will be able to log in to the other and vice versa if a two way trust is set up.

You can set up a one way trust or a two way trust.
You can turn it off at any time in Active Directory Domains and Trusts.

If you don't have the everyone and authenticated users groups having permissions, but you have clearly defined access rights then the users from the other domain won't even be able to access files.

What you need to be clear about is forest and domain level access and those dangerous generic groups: everybody and authenticated users.

Authenticated users becomes anyone authenticated in a trusted domain.

Author Comment

ID: 39158553
I am working towards eliminating "Everyone" and "Authenticated Users".  I am setting up groups on each domain and then once the trust is in place I will set up groups on one domain to access certain applications or files on the other domain.  I also want to lock down Administrator access across domains.  Right now I have access on both domains and I have an administrator on the other domain.  I assume, he will not have administrator access on both domains unless I grant him the permissions or give him the password. I really only want him to be able to reset passwords and nothing more on the one domain
LVL 16

Expert Comment

by:Carol Chisholm
ID: 39159186
Sounds like you need a one way trust. Your domain does not trust the other domain, but the other domain trusts your domain.
This way groups and users in your domain can access files and apps in the other domain. You can administer both but the other administrator can only administer their own domain.

You can add admins from a trusted domain to domain admins group if you want
Make sure all your admin accounts are renamed (or disable the administrator account after creating another Administrator account with a different name for yourself).
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

LVL 16

Expert Comment

by:Carol Chisholm
ID: 39159196

Author Comment

ID: 39159558
The trust itself can be two way, but I do not trust the one guy as he screws up a lot of stuff and I do not want him to have the full set of keys to the kingdom. Case in point, the virtual spam firewall had an issue and the first thing he starts doing is try to make changes  in Exchange.  When it comes to administrative abilities, All I want to allow him to do is add and modify accounts  in Active directory. I do not want him to be able to do much more than that. The only problem is that I have not found a good guide for limiting admin permissions. This is something I want squared away prior to putting the trust in place. However, I would not think the admin account for domain a could log into the dc of domain b... one would have to know the account password or the admin account of domain a would have to have permissions on domain b would they not?
LVL 16

Expert Comment

by:Carol Chisholm
ID: 39159732
There is not a way to practically limit permissions.
What you do is take a powerless user and give them limited permissions to reset passwords and so on.
But you are right as long as the accounts have different names and the passwords are different and you don't put the other admin in your domain admins then he should not cause your too much trouble.

Here is an article which shows you how complicated revoking permissions is.

And how to delegate very limited permissions

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
AD Account lockout 11 68
Remote desktop connection frequent connection lost 5 54
DNS/WINS in a domain 10 47
Google Chrome GPO Not Applying 5 31
New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question