[Webinar] Streamline your web hosting managementRegister Today

x
?
Solved

Windows 2008 R2 Domain Forest Trust to Windows 2012 R2

Posted on 2016-08-20
7
Medium Priority
?
517 Views
1 Endorsement
Last Modified: 2016-08-24
I am 99% sure I know the answer to this, but I just want to double check.

My domain and forest level is Windows 2008 R2 with this is mind, I should have no problem setting up a trust with another remote domain that is running any forest level version Windows 2003 or greater correct?

Also when a trust is setup this is just the connector between domain and does not grant access to the remote domain resources even if the domain wide authentication level is used correct?
1
Comment
Question by:compdigit44
  • 3
  • 2
  • 2
7 Comments
 
LVL 1

Expert Comment

by:saumik belel
ID: 41764119
To create a forest trust, the minimum forest functional level for the forests that are involved in the trust relationship is Windows Server 2003.

You can create a forest trust between two Windows Server 2003 forests, between two Windows Server 2008 forests, between two Windows Server 2008 R2 forests, between a Windows Server 2003 forest and a Windows Server 2008 forest, between a Windows Server 2003 forest and a Windows Server 2008 R2 forest, or between a Windows Server 2008 forest and a Windows Server 2008 R2 forest.

Configuring Selective Authentication Settings

Trusts that are created between Windows Server 2008 forests can use legacy authentication settings (settings that were used in Windows 2000 Server) or selective authentication. Selective authentication is a security setting that can be enabled on external trusts and forest trusts between Windows Server 2003 forests and Windows Server 2008 forests, in any combination. Selective authentication provides Active Directory administrators who manage a trusting forest more control over which groups of users in a trusted forest can access shared resources in the trusting forest. Because creating an external trust or forest trust provides a pathway for all authentication requests between the forests, this increased control is especially important when administrators need to grant access to shared resources in their organization’s forest to a limited set of users in another organization’s forest.


-- Kindly take a look at the below document, hope it helps.

https://technet.microsoft.com/en-us/library/cc816580(v=ws.10).aspx
0
 
LVL 20

Author Comment

by:compdigit44
ID: 41764352
Thank you very much for your feed back... The one item I am still fuzzy on is after the trust is setup, this does not automatically provide authentication or does it if using domain wide authentication????
1
 
LVL 1

Expert Comment

by:saumik belel
ID: 41764386
When establishing a domain trust there is two options for defining the way that users from the trusted domain authenticate to the trusting domain.
1.
The domain-wide authentication setting permits unrestricted access by any users in the trusted domain to all available shared resources in the trusting domain. This is the default authentication setting for external trusts.
With this method users from the trusted domain are able to access servers, services, shares and files with normal NTFS and share permissions.

2.
Selective authentication” takes a “deny all” approach explicitly blocking all access at the server level to all users who are not explicitly granted the “Allowed to authenticate” permission.
*With this method administrators must grant rights to each system they wish to allow access to in addition to the NTFS and share permissions. It is an extra level and security and may give your domain administrators a little ease when considering the domain trust risks.
0
Free tool for managing users' photos in Office 365

Easily upload multiple users’ photos to Office 365. Manage them with an intuitive GUI and use handy built-in cropping and resizing options. Link photos with users based on Azure AD attributes. Free tool!

 
LVL 20

Author Comment

by:compdigit44
ID: 41764399
Thank you very much.. I understand the difference between domain wide and selective authentication but trying to confirm that just setting up a trust does not grant permission correct? Or does it if using domain wide?
0
 
LVL 18

Expert Comment

by:Sushil Sonawane
ID: 41764898
Hi

It is totally depends on the What type authentication you have set up.

Domain-wide : Authentication External Permits unrestricted access by any users. Default authentication setting for external trusts.
Forest-wide : Authentication Forest Permits unrestricted access by any users. Default authentication setting for forest trusts.
Selective Authentication :  External and Forest Restricts access over an external Authentication setting must be manually enabled


For more info refer below links:

https://araihan.wordpress.com/2009/08/05/how-to-create-an-external-trust-between-two-domains/

http://www.tech-faq.com/understanding-trust-relationships.html
0
 
LVL 20

Author Comment

by:compdigit44
ID: 41766090
So if you setup the trust with domain wide authentication that access is automatically granted correct?
0
 
LVL 18

Accepted Solution

by:
Sushil Sonawane earned 2000 total points
ID: 41766421
Yes if you setup trust domain wide then it will automatically granted access to users and computers.
1

Featured Post

Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
Native ability to set a user account password via AD GPO was removed because the passwords can be easily decrypted by any authenticated user in the domain. Microsoft recommends LAPS as a replacement and I have written an article that does something …
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses

611 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question