Active Directory Design - Best Practice

My company has acquired another businesses in the last year or so. Currently there is a need to integrate the networks to start to look at group wide access to certain systems. We have just laid the MPLS links down and need a solution RE AD/Domain integration. There is a need for SSO where possible, some access to shared data, however one org is a legal firm and the other holds credit card data so there are compliance/segregation requirements. We cannot merge domains as each entity needs to remain its own brand.

So I guess we are at design/architecture decision point. It seems there are 2 options:

A/ Put trusts between the existing domains/forests (security/domain admin headaches?)
B/ Create a new domain for the holding company and place shared resources there. Then put non-transitive trusts from the existing domains to it to ensure segregation.

Is there a best practice in this scenario? (Ie - when a holding company acquires new companies and needs to add them to the corp network but keep segregation for compliance/legal requirements?

My first question on here so thanks for your help.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

I would prefer 1st option with bit variation:
I will build two way external trust with selective authentication - this will enable you to control who can access what (selective authentication)
Enable auditing on file shares and explicitly grant access where required for selected resources

The option 2 is not looks feasible, because you need to manage one more AD domain (3rd one) and again concerns will raise who will access what and how and who will audit that
Sajid Shaik MSystem AdminCommented:
what about creating a 3rd Domain as a Group Domain and create a 2 way trust relation ship...

then create Child Domain to your Group Domain and saggregate  2 org's legal and Creditcard  may be in future you may need to add some more then at that time you can structure your ORG.

all the best
JoePMAuthor Commented:
Thanks for your help/replies guys - much appreciated. It sounds like there is not really a general standard/best practice for this.

I should probably add that there will be new systems being deployed at group level, so for e.g. hosting a new platform in one domain may be politically sensitive if the other company is also accessing/administrating that system. This is why we were looking at a potential 3rd group level domain. Also they are looking at creating a virtual helpdesk to admin 1st line across all the domains, is this achievable with just forest trusts?

Selective authentication sounds like it may achieve the segregation we need however if I can convince the Win engineers/Compliance teams it is secure...
Ensure Business Longevity with As-A-Service

Using the as-a-service approach for your business model allows you to grow your revenue stream with new practice areas, without forcing you to part ways with existing clients just because they don’t fit the mold of your new service offerings.

trusts have two types
forestwide/domainwide authentication - where either domain users can authenticate to either domains
whereas selective authentication put restrictions so that only selected users can access identified resources where they have granted permissions - the purpose is to reduce exposure established because of trust
In terms of authentication, the method which used for auth within one AD, same is used to authenticate users over trust (i.e. ntlm or Kerberos)
You should avoiding creating multiple domain / forests as per Microsoft best practices unless one is absolutely required
By setting up 3rd domain, you will again have to setup new trusts between new domain and other both domains respectively, so you are not increasing security but you are increasing complexity and you also need to maintain 3rd domain identities

The scenario suggested by Sajid would work, but too much work involved in that and you need to kick off entire new migration project where both domains will be affected and after all still you wanted to keep boundary between both domains
so currently, the best option I can see is to build trust between both domains with selective authentication which suffices your purpose

There are definitely AD have best practices, but logic should be correct. whatever approach you select, you should avoid creating unnecessary domains unless absolutely required

JoePMAuthor Commented:
Thanks Mahesh, yes you are correct in that we don't want an AD migration/merge project so each will have to remain at forest level. Sounds like selective authentication is definitely the most attractive solution.

However, with non-transitive trusts to a domain solely dedicated to group services (thereby cutting of comms completely to the other organisation's AD)  I can't see how that would not add security/segregation?, but as you say it would definitely increase complexity/effort.

I will recommend selective authentication but know I will get asked how secure it is,,!

Thanks for your help once again.
The problem with dedicated group domain is who will control data in that domain ?

If both domains share the group domain for securely sharing data with each other, one domain must be granted administrative permissions on group domain and he can access data from both sides, you can restrict permissions but as a domain administrator, he can take ownership and potentially access all data if wanted to.
This is considered as security breach.
Then you need dedicated group admin separate from both domains (3rd person), again he must be trusted and accepted by both domains

Hence better approach is, shared data at both domains can be made available to either domain users (selected / authorized) over selective auth, this will enable you to keep track of what is being or should be accessed by whom
I have already explained pointers for selective auth in last comment, in addition to that you may add 2nd factor authentication service which add additional layer of security.
For example, you can add Azure multifactor authentication server with on premise network which will enforce 2nd factor auth.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
JoePMAuthor Commented:
Thanks for the advice Mahesh, one thought I had is wouldn't the security breach you describe have far greater impact in a domain hosting operational services rather than a group domain for a few non-critical services? If the trusts are 1-way then wouldn't admins from the group domain not be able to access the trusted domains anyway?
am not talking about one way trust

am talking about the domain )(either domain 1 or domain 2 in your case) who create new group domain would have admin credentials and entirely can control group domain data
In that case he can control data from both domains
if you ap[point 3rd party to control the data, then not domain 1 and 2 but 3rd party can control data where as your compliance requirement is to protect data between domain1 and 2 only
JoePMAuthor Commented:
It would be a new forest for the group domain not a new domain/sub-domain from an existing forest. So would be all new admins for the group domain pooled from each existing servicedesk to deal with requests from each org in RE accessing the group domain/services. If the trusts are one-way from each existing domain to the new group forest/domain then group domain admins would not be able to access the trusted domains data.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Best Practice

From novice to tech pro — start learning today.