How to setup active directory trust between two different companies?

Posted on 2013-12-26
Last Modified: 2014-01-08
Our company has 3 offices located in UK, UAE and India. All 3 locations are using active directory domains but are not connected together and all of them having different namespace. Now we need to integrate/connect these 3 domains together. Having different domain names is acceptable but if there is a way to bring them into a unique domain name would be nice. So, in order to achieve this how these locations should be connected? ..through VPN or any other technology? 2 sites are using 192.168.10.x subnets...Do we need to change these subnets?

Recently we acquired another company that has it's own active directory forest running and is using 192.168.10.x subnet. We need to create a trust relationships with that company too..At this moment, there isn't any connection between these 2 companies.

Please direct me through the steps to achieve this..thanks
Question by:Jasnan123
  • 2

Accepted Solution

Brad Held earned 300 total points
ID: 39741135
Wow that's a lot to take in,

First the three domains, I am assuming, are in different forests.
Using the ADMT would be able to do a lot of the tasks that are involved.
Essentially you would be migrating the users from one forest into another forest.

So I would start by designing the way you want Active Directory to look when your done.
So whether there is a top level domain, and 2 child domains or if you decide to have an empty root and 3 child domains, that will be decided at a business level.

For any migration you first have to have network connectivity between the domains, dns resolution, and a trust between the domains. There are some 3rd party tools and companies that can help with the migration, Like Quest tools, Dell or Microsoft Services. When you go through the migration there are a lot of hidden gotchas that the consultants can help you overcome.

It won't just be a migration of users and your done, the network services like Exchange, SharePoint and file services will also need to migrated. Groups and security will also be a concern.

There will also be a coexistence period, where there could be users who have been migrated that needs access back to the original domain for resources so sid history will come into play.

On the subnets, yes one has to change otherwise you won't be able to route between them, and Active Directory sites and services won't be able to direct clients to the closest DC.

I know this is vague, but that is something that really needs to be thought through and understand before the migration starts and I would pick one domain and start there, and not try all three at one time.

Good luck!
LVL 26

Assisted Solution

by:Leon Fester
Leon Fester earned 200 total points
ID: 39741383
Your easiest way to connect these sites are via and MPLS cloud solution.
In terms of your final solution, that is the way to go.
But there is a lot of work required before there.

Firstly the sites that have overlapping IP's needs to be changed as Microsoft does not support domain trusts across double NAT'ed networks.

Remember with the IP change to check your DNS servers settings, DHCP server setting and DNS records for Domain controllers.

That should set you up nicely for the domain trust.
You'd have to trust each domain that you'd like to share resources with as domain trusts are not inheritable.

If the domain trusts are working then you can start your domain migrations.

The easiest option is to setup a new DC for the new domain at each site and then start migrating the 3 domains.

Depending on the number of applications and servers that you have to port, this project could be anything from 3 months to 24 months.

This is just a high-level plan so do some reading to make sure you know what is happening and what you want to achieve.

Your best starting point for planning a domain consolidation project is

Author Comment

ID: 39743336
Thanks for the experts for your valuable comments. Now I have got an overall idea to get started. I have one more doubt..what type of connection we need in between sites? MPLS or VPN connection which would better and cost effective?

Expert Comment

by:Brad Held
ID: 39766928
You would have to price it out, but MPLS connection over such large distances may be cost prohibitive versus a dedicated VPN device. Buying dedicated VPN devices to link the connections would have the cost up front versus a monthly expense for a provider to create the link.

Again you would have to price it out.

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. Theā€¦
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

861 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question