Sign in with
Sign up | Sign in
Your question

WIn2003 Trust betwee domains, same forest is possible ?

Last response: in Windows 2000/NT
Share
May 9, 2005 4:03:34 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

I have an important question:
Imagine I want to setup a separate domain to isolate "student" from "staff"
resources and provide different set of security policies.

On Win2003 AD, is possible and viable setup *two* domains, one way trust
under the *same* forest ?
I have conflicting information from two 'specialists':o ne says that two
domains configured within the same AD forest will be setup as two way trusts
(and he implied that such trust cannot be setup one way as I wish).

Therefore he tells me that if I determine that two domains with an one way
trust between is required, I must setup two separate forests to accomodate
this need. Is this true ?
Anonymous
May 10, 2005 1:11:49 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Magoo wrote:
> I have an important question:
> Imagine I want to setup a separate domain to isolate "student" from "staff"
> resources and provide different set of security policies.
>
> On Win2003 AD, is possible and viable setup *two* domains, one way trust
> under the *same* forest ?
> I have conflicting information from two 'specialists':o ne says that two
> domains configured within the same AD forest will be setup as two way trusts
> (and he implied that such trust cannot be setup one way as I wish).
>
> Therefore he tells me that if I determine that two domains with an one way
> trust between is required, I must setup two separate forests to accomodate
> this need. Is this true ?

by defualt windows 2000/2003 inside of the forest creates two way
transitive trusts between domains and IMO it is not recommended to break
this trusts and replace them by one way trust.

And you hae to remember thath in AD world domain is no longer security
boundy, the forst is a boundry on which level you should separate
security entites from each other. Using two separated forests you can
have a good level of control on the access to resources including
selective authentication mechanism.

--
Tomasz Onyszko [MVP]
http://www.w2k.pl
Anonymous
May 10, 2005 1:15:53 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Magoo wrote:
> I have an important question:
> Imagine I want to setup a separate domain to isolate "student" from "staff"
> resources and provide different set of security policies.
>
> On Win2003 AD, is possible and viable setup *two* domains, one way trust
> under the *same* forest ?
> I have conflicting information from two 'specialists':o ne says that two
> domains configured within the same AD forest will be setup as two way trusts
> (and he implied that such trust cannot be setup one way as I wish).
>
> Therefore he tells me that if I determine that two domains with an one way
> trust between is required, I must setup two separate forests to accomodate
> this need. Is this true ?

By deafult windows 200/2003 is creating two way transitive trusts
between the domains in the same forest and IMO it is not recommended to
break this trusts and replace them with one way, manually created trust.

You have to notice also that in AD domain is no longer security boundry,
the forest is the boundry on which You can build your security model and
separate two different security domains.
Using trusts between the forests you can have a greater level of control
on the resources which can be accessed (including also selective
authentication mechanism) and you can implement spearated security
policy for different part of your organisation.

So IMO two forests will be good solution for you.

--
Tomasz Onyszko [MVP]
http://www.w2k.pl
Related resources
May 10, 2005 1:15:54 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Thanks !

"Tomasz Onyszko [MVP]" <T.Onyszko_nospam_@microsfot.com> wrote in message
news:ejefHuMVFHA.3412@TK2MSFTNGP10.phx.gbl...
> Magoo wrote:
> > I have an important question:
> > Imagine I want to setup a separate domain to isolate "student" from
"staff"
> > resources and provide different set of security policies.
> >
> > On Win2003 AD, is possible and viable setup *two* domains, one way trust
> > under the *same* forest ?
> > I have conflicting information from two 'specialists':o ne says that two
> > domains configured within the same AD forest will be setup as two way
trusts
> > (and he implied that such trust cannot be setup one way as I wish).
> >
> > Therefore he tells me that if I determine that two domains with an one
way
> > trust between is required, I must setup two separate forests to
accomodate
> > this need. Is this true ?
>
> By deafult windows 200/2003 is creating two way transitive trusts
> between the domains in the same forest and IMO it is not recommended to
> break this trusts and replace them with one way, manually created trust.
>
> You have to notice also that in AD domain is no longer security boundry,
> the forest is the boundry on which You can build your security model and
> separate two different security domains.
> Using trusts between the forests you can have a greater level of control
> on the resources which can be accessed (including also selective
> authentication mechanism) and you can implement spearated security
> policy for different part of your organisation.
>
> So IMO two forests will be good solution for you.
>
> --
> Tomasz Onyszko [MVP]
> http://www.w2k.pl
Anonymous
May 10, 2005 1:27:42 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Tomasz Onyszko [MVP] wrote:

Sorry for two posts with the same content - it's something with my
reader :( 

--
Tomasz Onyszko [MVP]
http://www.w2k.pl
!