How to setup active directory trust between two different companies?

Posted on 2013-12-26
Last Modified: 2014-01-08
Our company has 3 offices located in UK, UAE and India. All 3 locations are using active directory domains but are not connected together and all of them having different namespace. Now we need to integrate/connect these 3 domains together. Having different domain names is acceptable but if there is a way to bring them into a unique domain name would be nice. So, in order to achieve this how these locations should be connected? ..through VPN or any other technology? 2 sites are using 192.168.10.x subnets...Do we need to change these subnets?

Recently we acquired another company that has it's own active directory forest running and is using 192.168.10.x subnet. We need to create a trust relationships with that company too..At this moment, there isn't any connection between these 2 companies.

Please direct me through the steps to achieve this..thanks
Question by:Jasnan123
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2

Accepted Solution

Brad Held earned 300 total points
ID: 39741135
Wow that's a lot to take in,

First the three domains, I am assuming, are in different forests.
Using the ADMT would be able to do a lot of the tasks that are involved.
Essentially you would be migrating the users from one forest into another forest.

So I would start by designing the way you want Active Directory to look when your done.
So whether there is a top level domain, and 2 child domains or if you decide to have an empty root and 3 child domains, that will be decided at a business level.

For any migration you first have to have network connectivity between the domains, dns resolution, and a trust between the domains. There are some 3rd party tools and companies that can help with the migration, Like Quest tools, Dell or Microsoft Services. When you go through the migration there are a lot of hidden gotchas that the consultants can help you overcome.

It won't just be a migration of users and your done, the network services like Exchange, SharePoint and file services will also need to migrated. Groups and security will also be a concern.

There will also be a coexistence period, where there could be users who have been migrated that needs access back to the original domain for resources so sid history will come into play.

On the subnets, yes one has to change otherwise you won't be able to route between them, and Active Directory sites and services won't be able to direct clients to the closest DC.

I know this is vague, but that is something that really needs to be thought through and understand before the migration starts and I would pick one domain and start there, and not try all three at one time.

Good luck!
LVL 26

Assisted Solution

by:Leon Fester
Leon Fester earned 200 total points
ID: 39741383
Your easiest way to connect these sites are via and MPLS cloud solution.
In terms of your final solution, that is the way to go.
But there is a lot of work required before there.

Firstly the sites that have overlapping IP's needs to be changed as Microsoft does not support domain trusts across double NAT'ed networks.

Remember with the IP change to check your DNS servers settings, DHCP server setting and DNS records for Domain controllers.

That should set you up nicely for the domain trust.
You'd have to trust each domain that you'd like to share resources with as domain trusts are not inheritable.

If the domain trusts are working then you can start your domain migrations.

The easiest option is to setup a new DC for the new domain at each site and then start migrating the 3 domains.

Depending on the number of applications and servers that you have to port, this project could be anything from 3 months to 24 months.

This is just a high-level plan so do some reading to make sure you know what is happening and what you want to achieve.

Your best starting point for planning a domain consolidation project is

Author Comment

ID: 39743336
Thanks for the experts for your valuable comments. Now I have got an overall idea to get started. I have one more doubt..what type of connection we need in between sites? MPLS or VPN connection which would better and cost effective?

Expert Comment

by:Brad Held
ID: 39766928
You would have to price it out, but MPLS connection over such large distances may be cost prohibitive versus a dedicated VPN device. Buying dedicated VPN devices to link the connections would have the cost up front versus a monthly expense for a provider to create the link.

Again you would have to price it out.

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Suggested Courses

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question