Solved

Risk and caveats when setting up multiple AD domain trust ?

Posted on 2015-02-15
7
246 Views
Last Modified: 2015-02-26
Hi,

Can anyone please share the caveats or the risk when setting up the AD trust between my current AD domain and approximately 20+ different AD domain in separate site office sites ?

I need to know before setting up the two way AD trust through the AD sites and trust console.

Thanks.
0
Comment
  • 4
  • 3
7 Comments
 
LVL 7

Author Comment

by:Senior IT System Engineer
Comment Utility
The reason why there are so many AD domain to be joined is that because my senior IT management told me to add the site office AD into the current parent company AD.

Because when the site office is closed or bought by another company, we don't have to spend too much time to setup the AD domain again to make it running again.

So the idea here is to be able to tell the user in each of the site office to use the PARENTCOMPANY.com\Username account to login to their workstation.

The Exchange Server access has been provided to the site office user when they access it through the terminal server.
0
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 500 total points
Comment Utility
If you have a two way forest trust between a domain this allows users from the opposing forest to use and access resources in the other trusted forest. This is also a trasitive trust, which means if you create a 2 way forest trust any child domains in the forest will also inhertie this trust.

You can also use Selective Authentication to restrict what users/computers can be accessible from the trusted forest. This would be the best method to ensure that you are locking down your objects and not allowing everyone from the trusted forest to access resources.

Selective Authentication
https://technet.microsoft.com/en-us/library/cc758152(v=ws.10).aspx

Will.
0
 
LVL 7

Author Comment

by:Senior IT System Engineer
Comment Utility
Ah cool,

That does make sense. So in this case I just need to allow the user in Site Offices to login using the ParentCompanyAD.com\User so I guess I will have to set the one way trust from each of the site offices DC to the parent company AD through the "Active Directory Sites and Services" console.

is that correct ?

in that way the user in the head office shouldn't be confused by too many drop down to select the AD domain during the logon process.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 500 total points
Comment Utility
Yes that is correct. One way trust is exactly what it states. Users for the trusted site can login to the trusting site. This would suffice for what your trying to accomplish.

Will.
0
 
LVL 7

Author Comment

by:Senior IT System Engineer
Comment Utility
Thanks Will,

But what happened if the Site Office AD domain name is the same or if there is the same AD domain name already exist ?

Do I have to rename the AD domain first before establishing trust from the Site office before trusting it with the parent Company AD ?
0
 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 500 total points
Comment Utility
To be completely honest i have never run into something like this. I would expect that you would not have to rename the domain because both domains have different unique GUID's. It just might be confusing for humans when looking at the names in the Trust window. domaina.com has a trust with domaina.com could get confusing.

Will.
0
 
LVL 7

Author Closing Comment

by:Senior IT System Engineer
Comment Utility
thanks Will !
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Resolve DNS query failed errors for Exchange
OfficeMate Freezes on login or does not load after login credentials are input.
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now