Solved

Risk and caveats when setting up multiple AD domain trust ?

Posted on 2015-02-15
7
288 Views
Last Modified: 2015-02-26
Hi,

Can anyone please share the caveats or the risk when setting up the AD trust between my current AD domain and approximately 20+ different AD domain in separate site office sites ?

I need to know before setting up the two way AD trust through the AD sites and trust console.

Thanks.
0
Comment
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 8

Author Comment

by:Senior IT System Engineer
ID: 40610637
The reason why there are so many AD domain to be joined is that because my senior IT management told me to add the site office AD into the current parent company AD.

Because when the site office is closed or bought by another company, we don't have to spend too much time to setup the AD domain again to make it running again.

So the idea here is to be able to tell the user in each of the site office to use the PARENTCOMPANY.com\Username account to login to their workstation.

The Exchange Server access has been provided to the site office user when they access it through the terminal server.
0
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 500 total points
ID: 40611001
If you have a two way forest trust between a domain this allows users from the opposing forest to use and access resources in the other trusted forest. This is also a trasitive trust, which means if you create a 2 way forest trust any child domains in the forest will also inhertie this trust.

You can also use Selective Authentication to restrict what users/computers can be accessible from the trusted forest. This would be the best method to ensure that you are locking down your objects and not allowing everyone from the trusted forest to access resources.

Selective Authentication
https://technet.microsoft.com/en-us/library/cc758152(v=ws.10).aspx

Will.
0
 
LVL 8

Author Comment

by:Senior IT System Engineer
ID: 40611330
Ah cool,

That does make sense. So in this case I just need to allow the user in Site Offices to login using the ParentCompanyAD.com\User so I guess I will have to set the one way trust from each of the site offices DC to the parent company AD through the "Active Directory Sites and Services" console.

is that correct ?

in that way the user in the head office shouldn't be confused by too many drop down to select the AD domain during the logon process.
0
Edgartown IT Case Study

Learn about Edgartown's quest to ensure the safety and security of the entire town's employee and citizen data. Read the case study!

 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 500 total points
ID: 40611535
Yes that is correct. One way trust is exactly what it states. Users for the trusted site can login to the trusting site. This would suffice for what your trying to accomplish.

Will.
0
 
LVL 8

Author Comment

by:Senior IT System Engineer
ID: 40611653
Thanks Will,

But what happened if the Site Office AD domain name is the same or if there is the same AD domain name already exist ?

Do I have to rename the AD domain first before establishing trust from the Site office before trusting it with the parent Company AD ?
0
 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 500 total points
ID: 40614798
To be completely honest i have never run into something like this. I would expect that you would not have to rename the domain because both domains have different unique GUID's. It just might be confusing for humans when looking at the names in the Trust window. domaina.com has a trust with domaina.com could get confusing.

Will.
0
 
LVL 8

Author Closing Comment

by:Senior IT System Engineer
ID: 40634574
thanks Will !
0

Featured Post

Creating Instructional Tutorials  

For Any Use & On Any Platform

Contextual Guidance at the moment of need helps your employees/users adopt software o& achieve even the most complex tasks instantly. Boost knowledge retention, software adoption & employee engagement with easy solution.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question