We help IT Professionals succeed at work.

Active Directory Design - Best Practice

Joe
Joe asked
on
495 Views
Last Modified: 2017-04-05
My company has acquired another businesses in the last year or so. Currently there is a need to integrate the networks to start to look at group wide access to certain systems. We have just laid the MPLS links down and need a solution RE AD/Domain integration. There is a need for SSO where possible, some access to shared data, however one org is a legal firm and the other holds credit card data so there are compliance/segregation requirements. We cannot merge domains as each entity needs to remain its own brand.

So I guess we are at design/architecture decision point. It seems there are 2 options:

A/ Put trusts between the existing domains/forests (security/domain admin headaches?)
B/ Create a new domain for the holding company and place shared resources there. Then put non-transitive trusts from the existing domains to it to ensure segregation.

Is there a best practice in this scenario? (Ie - when a holding company acquires new companies and needs to add them to the corp network but keep segregation for compliance/legal requirements?

My first question on here so thanks for your help.
Comment
Watch Question

MaheshArchitect
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
I would prefer 1st option with bit variation:
I will build two way external trust with selective authentication - this will enable you to control who can access what (selective authentication)
Enable auditing on file shares and explicitly grant access where required for selected resources

The option 2 is not looks feasible, because you need to manage one more AD domain (3rd one) and again concerns will raise who will access what and how and who will audit that
Sajid Shaik MSystem Admin
CERTIFIED EXPERT
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION
JoePM

Author

Commented:
Thanks for your help/replies guys - much appreciated. It sounds like there is not really a general standard/best practice for this.

I should probably add that there will be new systems being deployed at group level, so for e.g. hosting a new platform in one domain may be politically sensitive if the other company is also accessing/administrating that system. This is why we were looking at a potential 3rd group level domain. Also they are looking at creating a virtual helpdesk to admin 1st line across all the domains, is this achievable with just forest trusts?

Selective authentication sounds like it may achieve the segregation we need however if I can convince the Win engineers/Compliance teams it is secure...
MaheshArchitect
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION
JoePM

Author

Commented:
Thanks Mahesh, yes you are correct in that we don't want an AD migration/merge project so each will have to remain at forest level. Sounds like selective authentication is definitely the most attractive solution.

However, with non-transitive trusts to a domain solely dedicated to group services (thereby cutting of comms completely to the other organisation's AD)  I can't see how that would not add security/segregation?, but as you say it would definitely increase complexity/effort.

I will recommend selective authentication but know I will get asked how secure it is,,!

Thanks for your help once again.
Architect
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION
JoePM

Author

Commented:
Thanks for the advice Mahesh, one thought I had is wouldn't the security breach you describe have far greater impact in a domain hosting operational services rather than a group domain for a few non-critical services? If the trusts are 1-way then wouldn't admins from the group domain not be able to access the trusted domains anyway?
MaheshArchitect
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
am not talking about one way trust

am talking about the domain )(either domain 1 or domain 2 in your case) who create new group domain would have admin credentials and entirely can control group domain data
In that case he can control data from both domains
if you ap[point 3rd party to control the data, then not domain 1 and 2 but 3rd party can control data where as your compliance requirement is to protect data between domain1 and 2 only
JoePM

Author

Commented:
It would be a new forest for the group domain not a new domain/sub-domain from an existing forest. So would be all new admins for the group domain pooled from each existing servicedesk to deal with requests from each org in RE accessing the group domain/services. If the trusts are one-way from each existing domain to the new group forest/domain then group domain admins would not be able to access the trusted domains data.