[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Active Directory Trust Relationship

Posted on 2015-01-14
3
Medium Priority
?
217 Views
Last Modified: 2015-01-14
We are running an Active Directory with our own forest.  Our sister company in another country is also running their own AD and forest.  The sister company has got some business applications (SharePoint etc) in place which we would like to use as well.  

They are asking to setup a trust between the two domains / forest.  I am worrying that I am going to loose control over my AD.  Am I wrong?
0
Comment
Question by:whenz
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 4

Accepted Solution

by:
Monika Bharti earned 668 total points
ID: 40548592
A two-way, forest trust between two forests allows members from either forest to utilize resources located in the other forest, domains in each respective forest trust domains in the other forest implicitly. For example, when a two-way, forest trust is established between forest A and forest B, members of forest A can access resources located in forest B, and members of forest B can access resources in forest A, using the same trust.

Forest trust:  Forest trust is transitive in nature

Authentication requests follow these trust paths, so accounts from any domain in the forest can be authenticated at any other domain in the forest. With a single logon process, accounts with the proper permissions can access resources in any domain in the forest.
So you might not loose the access as long as you both trust each other and ensure that you trust the administrators of the trusted domain, as well as their security practices.
0
 
LVL 25

Assisted Solution

by:Mohammed Khawaja
Mohammed Khawaja earned 668 total points
ID: 40548595
Creating Trust-Relationship does not mean losing control over your AD, it will provide cross-forest/cross-domain access to resources.  As long as you don't give them domain admin privileges to your domain, you are fine.  I would take this as a learning opportunity to see how they have setup their AD and it might be worth it to migrate to a single domain or forest.
0
 
LVL 7

Assisted Solution

by:DrAtomic
DrAtomic earned 664 total points
ID: 40548617
Each forest will keep it's admins without gaining control of the other forest, you are not joining forests you are gaining or giving access to containers to allow setting rights to resources in the other forest. You could also go the route of setting up a one way trust.

See http://technet.microsoft.com/en-us/library/cc755427(v=ws.10).aspx for a explanation of how trusts work
See http://technet.microsoft.com/en-us/library/cc773010(v=ws.10).aspx for forest trusts
See http://technet.microsoft.com/en-us/library/cc736874(v=ws.10).aspx for all information regarding trusts
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question