Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 337
  • Last Modified:

Risk and caveats when setting up multiple AD domain trust ?

Hi,

Can anyone please share the caveats or the risk when setting up the AD trust between my current AD domain and approximately 20+ different AD domain in separate site office sites ?

I need to know before setting up the two way AD trust through the AD sites and trust console.

Thanks.
0
Senior IT System Engineer
Asked:
Senior IT System Engineer
  • 4
  • 3
3 Solutions
 
Senior IT System EngineerIT ProfessionalAuthor Commented:
The reason why there are so many AD domain to be joined is that because my senior IT management told me to add the site office AD into the current parent company AD.

Because when the site office is closed or bought by another company, we don't have to spend too much time to setup the AD domain again to make it running again.

So the idea here is to be able to tell the user in each of the site office to use the PARENTCOMPANY.com\Username account to login to their workstation.

The Exchange Server access has been provided to the site office user when they access it through the terminal server.
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
If you have a two way forest trust between a domain this allows users from the opposing forest to use and access resources in the other trusted forest. This is also a trasitive trust, which means if you create a 2 way forest trust any child domains in the forest will also inhertie this trust.

You can also use Selective Authentication to restrict what users/computers can be accessible from the trusted forest. This would be the best method to ensure that you are locking down your objects and not allowing everyone from the trusted forest to access resources.

Selective Authentication
https://technet.microsoft.com/en-us/library/cc758152(v=ws.10).aspx

Will.
0
 
Senior IT System EngineerIT ProfessionalAuthor Commented:
Ah cool,

That does make sense. So in this case I just need to allow the user in Site Offices to login using the ParentCompanyAD.com\User so I guess I will have to set the one way trust from each of the site offices DC to the parent company AD through the "Active Directory Sites and Services" console.

is that correct ?

in that way the user in the head office shouldn't be confused by too many drop down to select the AD domain during the logon process.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
Will SzymkowskiSenior Solution ArchitectCommented:
Yes that is correct. One way trust is exactly what it states. Users for the trusted site can login to the trusting site. This would suffice for what your trying to accomplish.

Will.
0
 
Senior IT System EngineerIT ProfessionalAuthor Commented:
Thanks Will,

But what happened if the Site Office AD domain name is the same or if there is the same AD domain name already exist ?

Do I have to rename the AD domain first before establishing trust from the Site office before trusting it with the parent Company AD ?
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
To be completely honest i have never run into something like this. I would expect that you would not have to rename the domain because both domains have different unique GUID's. It just might be confusing for humans when looking at the names in the Trust window. domaina.com has a trust with domaina.com could get confusing.

Will.
0
 
Senior IT System EngineerIT ProfessionalAuthor Commented:
thanks Will !
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now