Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

How to setup active directory trust between two different companies?

Posted on 2013-12-26
4
Medium Priority
?
1,453 Views
Last Modified: 2014-01-08
Our company has 3 offices located in UK, UAE and India. All 3 locations are using active directory domains but are not connected together and all of them having different namespace. Now we need to integrate/connect these 3 domains together. Having different domain names is acceptable but if there is a way to bring them into a unique domain name would be nice. So, in order to achieve this how these locations should be connected? ..through VPN or any other technology? 2 sites are using 192.168.10.x subnets...Do we need to change these subnets?

Recently we acquired another company that has it's own active directory forest running and is using 192.168.10.x subnet. We need to create a trust relationships with that company too..At this moment, there isn't any connection between these 2 companies.

Please direct me through the steps to achieve this..thanks
0
Comment
Question by:Jasnan123
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 6

Accepted Solution

by:
Brad Held earned 900 total points
ID: 39741135
Wow that's a lot to take in,

First the three domains, I am assuming, are in different forests.

http://technet.microsoft.com/en-us/library/cc974335(v=ws.10).aspx
Using the ADMT would be able to do a lot of the tasks that are involved.
Essentially you would be migrating the users from one forest into another forest.

So I would start by designing the way you want Active Directory to look when your done.
So whether there is a top level domain, and 2 child domains or if you decide to have an empty root and 3 child domains, that will be decided at a business level.

For any migration you first have to have network connectivity between the domains, dns resolution, and a trust between the domains. There are some 3rd party tools and companies that can help with the migration, Like Quest tools, Dell or Microsoft Services. When you go through the migration there are a lot of hidden gotchas that the consultants can help you overcome.

It won't just be a migration of users and your done, the network services like Exchange, SharePoint and file services will also need to migrated. Groups and security will also be a concern.

There will also be a coexistence period, where there could be users who have been migrated that needs access back to the original domain for resources so sid history will come into play.

On the subnets, yes one has to change otherwise you won't be able to route between them, and Active Directory sites and services won't be able to direct clients to the closest DC.

I know this is vague, but that is something that really needs to be thought through and understand before the migration starts and I would pick one domain and start there, and not try all three at one time.

Good luck!
0
 
LVL 26

Assisted Solution

by:Leon Fester
Leon Fester earned 600 total points
ID: 39741383
Your easiest way to connect these sites are via and MPLS cloud solution.
In terms of your final solution, that is the way to go.
But there is a lot of work required before there.

Firstly the sites that have overlapping IP's needs to be changed as Microsoft does not support domain trusts across double NAT'ed networks.

Remember with the IP change to check your DNS servers settings, DHCP server setting and DNS records for Domain controllers.

That should set you up nicely for the domain trust.
You'd have to trust each domain that you'd like to share resources with as domain trusts are not inheritable.

If the domain trusts are working then you can start your domain migrations.

The easiest option is to setup a new DC for the new domain at each site and then start migrating the 3 domains.

Depending on the number of applications and servers that you have to port, this project could be anything from 3 months to 24 months.

This is just a high-level plan so do some reading to make sure you know what is happening and what you want to achieve.

Your best starting point for planning a domain consolidation project is http://www.microsoft.com/en-us/download/details.aspx?id=19188
0
 

Author Comment

by:Jasnan123
ID: 39743336
Thanks for the experts for your valuable comments. Now I have got an overall idea to get started. I have one more doubt..what type of connection we need in between sites? MPLS or VPN connection which would better and cost effective?
0
 
LVL 6

Expert Comment

by:Brad Held
ID: 39766928
You would have to price it out, but MPLS connection over such large distances may be cost prohibitive versus a dedicated VPN device. Buying dedicated VPN devices to link the connections would have the cost up front versus a monthly expense for a provider to create the link.

Again you would have to price it out.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question