Solved

Risk and caveats when setting up multiple AD domain trust ?

Posted on 2015-02-15
7
266 Views
Last Modified: 2015-02-26
Hi,

Can anyone please share the caveats or the risk when setting up the AD trust between my current AD domain and approximately 20+ different AD domain in separate site office sites ?

I need to know before setting up the two way AD trust through the AD sites and trust console.

Thanks.
0
Comment
  • 4
  • 3
7 Comments
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 40610637
The reason why there are so many AD domain to be joined is that because my senior IT management told me to add the site office AD into the current parent company AD.

Because when the site office is closed or bought by another company, we don't have to spend too much time to setup the AD domain again to make it running again.

So the idea here is to be able to tell the user in each of the site office to use the PARENTCOMPANY.com\Username account to login to their workstation.

The Exchange Server access has been provided to the site office user when they access it through the terminal server.
0
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 500 total points
ID: 40611001
If you have a two way forest trust between a domain this allows users from the opposing forest to use and access resources in the other trusted forest. This is also a trasitive trust, which means if you create a 2 way forest trust any child domains in the forest will also inhertie this trust.

You can also use Selective Authentication to restrict what users/computers can be accessible from the trusted forest. This would be the best method to ensure that you are locking down your objects and not allowing everyone from the trusted forest to access resources.

Selective Authentication
https://technet.microsoft.com/en-us/library/cc758152(v=ws.10).aspx

Will.
0
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 40611330
Ah cool,

That does make sense. So in this case I just need to allow the user in Site Offices to login using the ParentCompanyAD.com\User so I guess I will have to set the one way trust from each of the site offices DC to the parent company AD through the "Active Directory Sites and Services" console.

is that correct ?

in that way the user in the head office shouldn't be confused by too many drop down to select the AD domain during the logon process.
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 500 total points
ID: 40611535
Yes that is correct. One way trust is exactly what it states. Users for the trusted site can login to the trusting site. This would suffice for what your trying to accomplish.

Will.
0
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 40611653
Thanks Will,

But what happened if the Site Office AD domain name is the same or if there is the same AD domain name already exist ?

Do I have to rename the AD domain first before establishing trust from the Site office before trusting it with the parent Company AD ?
0
 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 500 total points
ID: 40614798
To be completely honest i have never run into something like this. I would expect that you would not have to rename the domain because both domains have different unique GUID's. It just might be confusing for humans when looking at the names in the Trust window. domaina.com has a trust with domaina.com could get confusing.

Will.
0
 
LVL 7

Author Closing Comment

by:Senior IT System Engineer
ID: 40634574
thanks Will !
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

778 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question