Avatar of Joe
Joe
Flag for United Kingdom of Great Britain and Northern Ireland asked on

Active Directory Design - Best Practice

My company has acquired another businesses in the last year or so. Currently there is a need to integrate the networks to start to look at group wide access to certain systems. We have just laid the MPLS links down and need a solution RE AD/Domain integration. There is a need for SSO where possible, some access to shared data, however one org is a legal firm and the other holds credit card data so there are compliance/segregation requirements. We cannot merge domains as each entity needs to remain its own brand.

So I guess we are at design/architecture decision point. It seems there are 2 options:

A/ Put trusts between the existing domains/forests (security/domain admin headaches?)
B/ Create a new domain for the holding company and place shared resources there. Then put non-transitive trusts from the existing domains to it to ensure segregation.

Is there a best practice in this scenario? (Ie - when a holding company acquires new companies and needs to add them to the corp network but keep segregation for compliance/legal requirements?

My first question on here so thanks for your help.
* Best PracticeActive Directory

Avatar of undefined
Last Comment
Joe

8/22/2022 - Mon
Mahesh

I would prefer 1st option with bit variation:
I will build two way external trust with selective authentication - this will enable you to control who can access what (selective authentication)
Enable auditing on file shares and explicitly grant access where required for selected resources

The option 2 is not looks feasible, because you need to manage one more AD domain (3rd one) and again concerns will raise who will access what and how and who will audit that
SOLUTION
Sajid Shaik M

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Joe

ASKER
Thanks for your help/replies guys - much appreciated. It sounds like there is not really a general standard/best practice for this.

I should probably add that there will be new systems being deployed at group level, so for e.g. hosting a new platform in one domain may be politically sensitive if the other company is also accessing/administrating that system. This is why we were looking at a potential 3rd group level domain. Also they are looking at creating a virtual helpdesk to admin 1st line across all the domains, is this achievable with just forest trusts?

Selective authentication sounds like it may achieve the segregation we need however if I can convince the Win engineers/Compliance teams it is secure...
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Joe

ASKER
Thanks Mahesh, yes you are correct in that we don't want an AD migration/merge project so each will have to remain at forest level. Sounds like selective authentication is definitely the most attractive solution.

However, with non-transitive trusts to a domain solely dedicated to group services (thereby cutting of comms completely to the other organisation's AD)  I can't see how that would not add security/segregation?, but as you say it would definitely increase complexity/effort.

I will recommend selective authentication but know I will get asked how secure it is,,!

Thanks for your help once again.
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
ASKER CERTIFIED SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Joe

ASKER
Thanks for the advice Mahesh, one thought I had is wouldn't the security breach you describe have far greater impact in a domain hosting operational services rather than a group domain for a few non-critical services? If the trusts are 1-way then wouldn't admins from the group domain not be able to access the trusted domains anyway?
Mahesh

am not talking about one way trust

am talking about the domain )(either domain 1 or domain 2 in your case) who create new group domain would have admin credentials and entirely can control group domain data
In that case he can control data from both domains
if you ap[point 3rd party to control the data, then not domain 1 and 2 but 3rd party can control data where as your compliance requirement is to protect data between domain1 and 2 only
Joe

ASKER
It would be a new forest for the group domain not a new domain/sub-domain from an existing forest. So would be all new admins for the group domain pooled from each existing servicedesk to deal with requests from each org in RE accessing the group domain/services. If the trusts are one-way from each existing domain to the new group forest/domain then group domain admins would not be able to access the trusted domains data.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.