Solved

Active Directory Trust Relationship

Posted on 2015-01-14
3
201 Views
Last Modified: 2015-01-14
We are running an Active Directory with our own forest.  Our sister company in another country is also running their own AD and forest.  The sister company has got some business applications (SharePoint etc) in place which we would like to use as well.  

They are asking to setup a trust between the two domains / forest.  I am worrying that I am going to loose control over my AD.  Am I wrong?
0
Comment
Question by:whenz
3 Comments
 
LVL 4

Accepted Solution

by:
Monika Bharti earned 167 total points
ID: 40548592
A two-way, forest trust between two forests allows members from either forest to utilize resources located in the other forest, domains in each respective forest trust domains in the other forest implicitly. For example, when a two-way, forest trust is established between forest A and forest B, members of forest A can access resources located in forest B, and members of forest B can access resources in forest A, using the same trust.

Forest trust:  Forest trust is transitive in nature

Authentication requests follow these trust paths, so accounts from any domain in the forest can be authenticated at any other domain in the forest. With a single logon process, accounts with the proper permissions can access resources in any domain in the forest.
So you might not loose the access as long as you both trust each other and ensure that you trust the administrators of the trusted domain, as well as their security practices.
0
 
LVL 25

Assisted Solution

by:Mohammed Khawaja
Mohammed Khawaja earned 167 total points
ID: 40548595
Creating Trust-Relationship does not mean losing control over your AD, it will provide cross-forest/cross-domain access to resources.  As long as you don't give them domain admin privileges to your domain, you are fine.  I would take this as a learning opportunity to see how they have setup their AD and it might be worth it to migrate to a single domain or forest.
0
 
LVL 7

Assisted Solution

by:DrAtomic
DrAtomic earned 166 total points
ID: 40548617
Each forest will keep it's admins without gaining control of the other forest, you are not joining forests you are gaining or giving access to containers to allow setting rights to resources in the other forest. You could also go the route of setting up a one way trust.

See http://technet.microsoft.com/en-us/library/cc755427(v=ws.10).aspx for a explanation of how trusts work
See http://technet.microsoft.com/en-us/library/cc773010(v=ws.10).aspx for forest trusts
See http://technet.microsoft.com/en-us/library/cc736874(v=ws.10).aspx for all information regarding trusts
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

[b]Ok so now I will show you how to add a user name to the description at login. [/b] First connect to your DC (Domain Controller / Active Directory Server) SET PERMISSIONS FOR SCRIPT TO UPDATE COMPUTER DESCRIPTION TO USERNAME 1. Open Active …
This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

832 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question