Solved

Creating a trust between two domains

Posted on 2013-05-11
6
540 Views
Last Modified: 2013-05-20
I am in the process of setting up a trust between two separate domains.  Traffic is already able to flow from domain to domain as I have a direct cable connecting the two core switches.  This ability has been going on for a few months now.  A few weeks ago I set up a stub zone in DNS on both sides.  Thus far I have not seen any issues.  I am about ready to implement the two way trust between the two.  I have never done this and I really do not have anyone who can authoritatively ask questions of.  I am not really sure what to expect when I turn the trust on. What should I see? What should I not see? What could go wrong? If something goes wrong, can I turn it off and go back to how it was until whatever issue is fixed?

For a little background, both sides are at a server 2008 2008 R2 level.  I do not have any 2003 or later domain controllers.  I do have users with accounts on both sides and I am running Exchange 2010 on both sides.

The process itself is simple enough and I do not really anticipate any issues, but not having anyone to talk to about it and doing something like this when it can be potentially problematic is a bit unnerving especially since it is joining two different live networks that controls two businesses.

Thanks in advance for any comments or suggestions.

I am basically following the following guide as well as technet and other articles on the subject.

http://www.misdivision.com/blog/how-to-create-a-trust-in-windows-server-2008-r2
0
Comment
Question by:dustaine
  • 4
  • 2
6 Comments
 
LVL 16

Accepted Solution

by:
Carol Chisholm earned 500 total points
ID: 39158475
The trust will not affect your networking at all.

When you set up the trust, the users from one domain will be able to log in to the other and vice versa if a two way trust is set up.

You can set up a one way trust or a two way trust.
You can turn it off at any time in Active Directory Domains and Trusts.

If you don't have the everyone and authenticated users groups having permissions, but you have clearly defined access rights then the users from the other domain won't even be able to access files.

What you need to be clear about is forest and domain level access and those dangerous generic groups: everybody and authenticated users.

Authenticated users becomes anyone authenticated in a trusted domain.
0
 

Author Comment

by:dustaine
ID: 39158553
I am working towards eliminating "Everyone" and "Authenticated Users".  I am setting up groups on each domain and then once the trust is in place I will set up groups on one domain to access certain applications or files on the other domain.  I also want to lock down Administrator access across domains.  Right now I have access on both domains and I have an administrator on the other domain.  I assume, he will not have administrator access on both domains unless I grant him the permissions or give him the password. I really only want him to be able to reset passwords and nothing more on the one domain
0
 
LVL 16

Expert Comment

by:Carol Chisholm
ID: 39159186
Sounds like you need a one way trust. Your domain does not trust the other domain, but the other domain trusts your domain.
This way groups and users in your domain can access files and apps in the other domain. You can administer both but the other administrator can only administer their own domain.

You can add admins from a trusted domain to domain admins group if you want
Make sure all your admin accounts are renamed (or disable the administrator account after creating another Administrator account with a different name for yourself).
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 16

Expert Comment

by:Carol Chisholm
ID: 39159196
0
 

Author Comment

by:dustaine
ID: 39159558
The trust itself can be two way, but I do not trust the one guy as he screws up a lot of stuff and I do not want him to have the full set of keys to the kingdom. Case in point, the virtual spam firewall had an issue and the first thing he starts doing is try to make changes  in Exchange.  When it comes to administrative abilities, All I want to allow him to do is add and modify accounts  in Active directory. I do not want him to be able to do much more than that. The only problem is that I have not found a good guide for limiting admin permissions. This is something I want squared away prior to putting the trust in place. However, I would not think the admin account for domain a could log into the dc of domain b... one would have to know the account password or the admin account of domain a would have to have permissions on domain b would they not?
0
 
LVL 16

Expert Comment

by:Carol Chisholm
ID: 39159732
There is not a way to practically limit permissions.
What you do is take a powerless user and give them limited permissions to reset passwords and so on.
But you are right as long as the accounts have different names and the passwords are different and you don't put the other admin in your domain admins then he should not cause your too much trouble.

Here is an article which shows you how complicated revoking permissions is.

http://social.technet.microsoft.com/wiki/contents/articles/6477.how-to-view-or-delete-active-directory-delegated-permissions.aspx

And how to delegate very limited permissions
http://community.spiceworks.com/how_to/show/1464-how-to-delegate-password-reset-permissions-for-your-it-staff
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question