Link to home
Start Free TrialLog in
Avatar of Joe
JoeFlag for United Kingdom of Great Britain and Northern Ireland

asked on

Active Directory Design - Best Practice

My company has acquired another businesses in the last year or so. Currently there is a need to integrate the networks to start to look at group wide access to certain systems. We have just laid the MPLS links down and need a solution RE AD/Domain integration. There is a need for SSO where possible, some access to shared data, however one org is a legal firm and the other holds credit card data so there are compliance/segregation requirements. We cannot merge domains as each entity needs to remain its own brand.

So I guess we are at design/architecture decision point. It seems there are 2 options:

A/ Put trusts between the existing domains/forests (security/domain admin headaches?)
B/ Create a new domain for the holding company and place shared resources there. Then put non-transitive trusts from the existing domains to it to ensure segregation.

Is there a best practice in this scenario? (Ie - when a holding company acquires new companies and needs to add them to the corp network but keep segregation for compliance/legal requirements?

My first question on here so thanks for your help.
Avatar of Mahesh
Mahesh
Flag of India image

I would prefer 1st option with bit variation:
I will build two way external trust with selective authentication - this will enable you to control who can access what (selective authentication)
Enable auditing on file shares and explicitly grant access where required for selected resources

The option 2 is not looks feasible, because you need to manage one more AD domain (3rd one) and again concerns will raise who will access what and how and who will audit that
SOLUTION
Avatar of Sajid Shaik M
Sajid Shaik M
Flag of Saudi Arabia image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Joe

ASKER

Thanks for your help/replies guys - much appreciated. It sounds like there is not really a general standard/best practice for this.

I should probably add that there will be new systems being deployed at group level, so for e.g. hosting a new platform in one domain may be politically sensitive if the other company is also accessing/administrating that system. This is why we were looking at a potential 3rd group level domain. Also they are looking at creating a virtual helpdesk to admin 1st line across all the domains, is this achievable with just forest trusts?

Selective authentication sounds like it may achieve the segregation we need however if I can convince the Win engineers/Compliance teams it is secure...
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Joe

ASKER

Thanks Mahesh, yes you are correct in that we don't want an AD migration/merge project so each will have to remain at forest level. Sounds like selective authentication is definitely the most attractive solution.

However, with non-transitive trusts to a domain solely dedicated to group services (thereby cutting of comms completely to the other organisation's AD)  I can't see how that would not add security/segregation?, but as you say it would definitely increase complexity/effort.

I will recommend selective authentication but know I will get asked how secure it is,,!

Thanks for your help once again.
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Joe

ASKER

Thanks for the advice Mahesh, one thought I had is wouldn't the security breach you describe have far greater impact in a domain hosting operational services rather than a group domain for a few non-critical services? If the trusts are 1-way then wouldn't admins from the group domain not be able to access the trusted domains anyway?
am not talking about one way trust

am talking about the domain )(either domain 1 or domain 2 in your case) who create new group domain would have admin credentials and entirely can control group domain data
In that case he can control data from both domains
if you ap[point 3rd party to control the data, then not domain 1 and 2 but 3rd party can control data where as your compliance requirement is to protect data between domain1 and 2 only
Avatar of Joe

ASKER

It would be a new forest for the group domain not a new domain/sub-domain from an existing forest. So would be all new admins for the group domain pooled from each existing servicedesk to deal with requests from each org in RE accessing the group domain/services. If the trusts are one-way from each existing domain to the new group forest/domain then group domain admins would not be able to access the trusted domains data.