Active Directory Trust Relationship

Posted on 2015-01-14
Medium Priority
Last Modified: 2015-01-14
We are running an Active Directory with our own forest.  Our sister company in another country is also running their own AD and forest.  The sister company has got some business applications (SharePoint etc) in place which we would like to use as well.  

They are asking to setup a trust between the two domains / forest.  I am worrying that I am going to loose control over my AD.  Am I wrong?
Question by:whenz

Accepted Solution

Monika Bharti earned 668 total points
ID: 40548592
A two-way, forest trust between two forests allows members from either forest to utilize resources located in the other forest, domains in each respective forest trust domains in the other forest implicitly. For example, when a two-way, forest trust is established between forest A and forest B, members of forest A can access resources located in forest B, and members of forest B can access resources in forest A, using the same trust.

Forest trust:  Forest trust is transitive in nature

Authentication requests follow these trust paths, so accounts from any domain in the forest can be authenticated at any other domain in the forest. With a single logon process, accounts with the proper permissions can access resources in any domain in the forest.
So you might not loose the access as long as you both trust each other and ensure that you trust the administrators of the trusted domain, as well as their security practices.
LVL 25

Assisted Solution

by:Mohammed Khawaja
Mohammed Khawaja earned 668 total points
ID: 40548595
Creating Trust-Relationship does not mean losing control over your AD, it will provide cross-forest/cross-domain access to resources.  As long as you don't give them domain admin privileges to your domain, you are fine.  I would take this as a learning opportunity to see how they have setup their AD and it might be worth it to migrate to a single domain or forest.

Assisted Solution

DrAtomic earned 664 total points
ID: 40548617
Each forest will keep it's admins without gaining control of the other forest, you are not joining forests you are gaining or giving access to containers to allow setting rights to resources in the other forest. You could also go the route of setting up a one way trust.

See http://technet.microsoft.com/en-us/library/cc755427(v=ws.10).aspx for a explanation of how trusts work
See http://technet.microsoft.com/en-us/library/cc773010(v=ws.10).aspx for forest trusts
See http://technet.microsoft.com/en-us/library/cc736874(v=ws.10).aspx for all information regarding trusts

Featured Post

Easily Design & Build Your Next Website

Squarespace’s all-in-one platform gives you everything you need to express yourself creatively online, whether it is with a domain, website, or online store. Get started with your free trial today, and when ready, take 10% off your first purchase with offer code 'EXPERTS'.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
The article explains the process to deploy a Self-Service password reset portal I developed a few years ago. Hopefully, it will prove useful to someone.  Any comments, bug reports etc. are welcome...
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Suggested Courses

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question