Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 220
  • Last Modified:

Active Directory Trust Relationship

We are running an Active Directory with our own forest.  Our sister company in another country is also running their own AD and forest.  The sister company has got some business applications (SharePoint etc) in place which we would like to use as well.  

They are asking to setup a trust between the two domains / forest.  I am worrying that I am going to loose control over my AD.  Am I wrong?
0
whenz
Asked:
whenz
3 Solutions
 
Monika BhartiCommented:
A two-way, forest trust between two forests allows members from either forest to utilize resources located in the other forest, domains in each respective forest trust domains in the other forest implicitly. For example, when a two-way, forest trust is established between forest A and forest B, members of forest A can access resources located in forest B, and members of forest B can access resources in forest A, using the same trust.

Forest trust:  Forest trust is transitive in nature

Authentication requests follow these trust paths, so accounts from any domain in the forest can be authenticated at any other domain in the forest. With a single logon process, accounts with the proper permissions can access resources in any domain in the forest.
So you might not loose the access as long as you both trust each other and ensure that you trust the administrators of the trusted domain, as well as their security practices.
0
 
Mohammed KhawajaCommented:
Creating Trust-Relationship does not mean losing control over your AD, it will provide cross-forest/cross-domain access to resources.  As long as you don't give them domain admin privileges to your domain, you are fine.  I would take this as a learning opportunity to see how they have setup their AD and it might be worth it to migrate to a single domain or forest.
0
 
DrAtomicCommented:
Each forest will keep it's admins without gaining control of the other forest, you are not joining forests you are gaining or giving access to containers to allow setting rights to resources in the other forest. You could also go the route of setting up a one way trust.

See http://technet.microsoft.com/en-us/library/cc755427(v=ws.10).aspx for a explanation of how trusts work
See http://technet.microsoft.com/en-us/library/cc773010(v=ws.10).aspx for forest trusts
See http://technet.microsoft.com/en-us/library/cc736874(v=ws.10).aspx for all information regarding trusts
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now