Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1498
  • Last Modified:

How to setup active directory trust between two different companies?

Our company has 3 offices located in UK, UAE and India. All 3 locations are using active directory domains but are not connected together and all of them having different namespace. Now we need to integrate/connect these 3 domains together. Having different domain names is acceptable but if there is a way to bring them into a unique domain name would be nice. So, in order to achieve this how these locations should be connected? ..through VPN or any other technology? 2 sites are using 192.168.10.x subnets...Do we need to change these subnets?

Recently we acquired another company that has it's own active directory forest running and is using 192.168.10.x subnet. We need to create a trust relationships with that company too..At this moment, there isn't any connection between these 2 companies.

Please direct me through the steps to achieve this..thanks
0
Jasnan123
Asked:
Jasnan123
  • 2
2 Solutions
 
Brad HeldCommented:
Wow that's a lot to take in,

First the three domains, I am assuming, are in different forests.

http://technet.microsoft.com/en-us/library/cc974335(v=ws.10).aspx
Using the ADMT would be able to do a lot of the tasks that are involved.
Essentially you would be migrating the users from one forest into another forest.

So I would start by designing the way you want Active Directory to look when your done.
So whether there is a top level domain, and 2 child domains or if you decide to have an empty root and 3 child domains, that will be decided at a business level.

For any migration you first have to have network connectivity between the domains, dns resolution, and a trust between the domains. There are some 3rd party tools and companies that can help with the migration, Like Quest tools, Dell or Microsoft Services. When you go through the migration there are a lot of hidden gotchas that the consultants can help you overcome.

It won't just be a migration of users and your done, the network services like Exchange, SharePoint and file services will also need to migrated. Groups and security will also be a concern.

There will also be a coexistence period, where there could be users who have been migrated that needs access back to the original domain for resources so sid history will come into play.

On the subnets, yes one has to change otherwise you won't be able to route between them, and Active Directory sites and services won't be able to direct clients to the closest DC.

I know this is vague, but that is something that really needs to be thought through and understand before the migration starts and I would pick one domain and start there, and not try all three at one time.

Good luck!
0
 
Leon FesterCommented:
Your easiest way to connect these sites are via and MPLS cloud solution.
In terms of your final solution, that is the way to go.
But there is a lot of work required before there.

Firstly the sites that have overlapping IP's needs to be changed as Microsoft does not support domain trusts across double NAT'ed networks.

Remember with the IP change to check your DNS servers settings, DHCP server setting and DNS records for Domain controllers.

That should set you up nicely for the domain trust.
You'd have to trust each domain that you'd like to share resources with as domain trusts are not inheritable.

If the domain trusts are working then you can start your domain migrations.

The easiest option is to setup a new DC for the new domain at each site and then start migrating the 3 domains.

Depending on the number of applications and servers that you have to port, this project could be anything from 3 months to 24 months.

This is just a high-level plan so do some reading to make sure you know what is happening and what you want to achieve.

Your best starting point for planning a domain consolidation project is http://www.microsoft.com/en-us/download/details.aspx?id=19188
0
 
Jasnan123Author Commented:
Thanks for the experts for your valuable comments. Now I have got an overall idea to get started. I have one more doubt..what type of connection we need in between sites? MPLS or VPN connection which would better and cost effective?
0
 
Brad HeldCommented:
You would have to price it out, but MPLS connection over such large distances may be cost prohibitive versus a dedicated VPN device. Buying dedicated VPN devices to link the connections would have the cost up front versus a monthly expense for a provider to create the link.

Again you would have to price it out.
0

Featured Post

Veeam Task Manager for Hyper-V

Task Manager for Hyper-V provides critical information that allows you to monitor Hyper-V performance by displaying real-time views of CPU and memory at the individual VM-level, so you can quickly identify which VMs are using host resources.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now