Solved

Active Directory Trust Relationship

Posted on 2015-01-14
3
209 Views
Last Modified: 2015-01-14
We are running an Active Directory with our own forest.  Our sister company in another country is also running their own AD and forest.  The sister company has got some business applications (SharePoint etc) in place which we would like to use as well.  

They are asking to setup a trust between the two domains / forest.  I am worrying that I am going to loose control over my AD.  Am I wrong?
0
Comment
Question by:whenz
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 4

Accepted Solution

by:
Monika Bharti earned 167 total points
ID: 40548592
A two-way, forest trust between two forests allows members from either forest to utilize resources located in the other forest, domains in each respective forest trust domains in the other forest implicitly. For example, when a two-way, forest trust is established between forest A and forest B, members of forest A can access resources located in forest B, and members of forest B can access resources in forest A, using the same trust.

Forest trust:  Forest trust is transitive in nature

Authentication requests follow these trust paths, so accounts from any domain in the forest can be authenticated at any other domain in the forest. With a single logon process, accounts with the proper permissions can access resources in any domain in the forest.
So you might not loose the access as long as you both trust each other and ensure that you trust the administrators of the trusted domain, as well as their security practices.
0
 
LVL 25

Assisted Solution

by:Mohammed Khawaja
Mohammed Khawaja earned 167 total points
ID: 40548595
Creating Trust-Relationship does not mean losing control over your AD, it will provide cross-forest/cross-domain access to resources.  As long as you don't give them domain admin privileges to your domain, you are fine.  I would take this as a learning opportunity to see how they have setup their AD and it might be worth it to migrate to a single domain or forest.
0
 
LVL 7

Assisted Solution

by:DrAtomic
DrAtomic earned 166 total points
ID: 40548617
Each forest will keep it's admins without gaining control of the other forest, you are not joining forests you are gaining or giving access to containers to allow setting rights to resources in the other forest. You could also go the route of setting up a one way trust.

See http://technet.microsoft.com/en-us/library/cc755427(v=ws.10).aspx for a explanation of how trusts work
See http://technet.microsoft.com/en-us/library/cc773010(v=ws.10).aspx for forest trusts
See http://technet.microsoft.com/en-us/library/cc736874(v=ws.10).aspx for all information regarding trusts
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question