Re: [ActiveDir] Domain Trusts.

[Matt Hargraves]

Thanks, that's exactly what I was looking for.  Oddly enough, it's somewhere on MS's site, though my 5-8 queries never came up with it (the wonderful joys of searching on microsoft.com).  Now I can give them 2 options.... separate forest with a 1-way trust or a subdomain (since there really isn't a difference between a separate tree and a subdomain).

On 7/24/06, Steve Linehan <[EMAIL PROTECTED]> wrote:

I believe that the documentation that you are looking for that describes these transitive trusts and the inability to alter them is contained here:

From: http://technet2.microsoft.com/WindowsServer/en/library/f5c70774-25cd-4481-8b7a-3d65c86e69b11033.mspx

Automatic Trusts


By default, two-way transitive trusts are automatically created when a new domain is added to a domain tree or forest root domain by using the Active Directory Installation Wizard. The two default trust types are parent-child trusts and tree-root trusts.


Parent-child trust


A parent-child trust relationship is established whenever a new domain is created in a tree. The Active Directory installation process automatically creates a trust relationship between the new domain and the domain that immediately precedes it in the namespace hierarchy (for example, corp.tailspintoys.com is created as the child of tailspintoys.com). The parent-child trust relationship has the following characteristics:

*        It can exist only between two domains in the same tree and namespace.

*        The parent domain is always trusted by the child domain.

*        It must be transitive and two-way. The bidirectional nature of transitive trust relationships allows the global directory information in Active Directory to replicate throughout the hierarchy.


Tree-root trust


A tree-root trust is established when you add a new domain tree to a forest. The Active Directory installation process automatically creates a trust relationship between the domain you are creating (the new tree root) and the forest root domain. A tree-root trust relationship has the following restrictions:

*        It can be established only between the roots of two trees in the same forest.

*        It must be transitive and two-way.


Thanks,

-Steve

________________________________

From: [EMAIL PROTECTED] on behalf of Matt Hargraves
Sent: Sun 7/23/2006 10:09 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Domain Trusts.


Basically we're looking at creating a resource domain because the objects that need to go in that domain really do need to get out of our current user environment.

But if you can't move items into a forest without having an automatic 2-way transitive trust, then we might need to just go with a separate forest.  We're looking at other options internally and it's possible that we may not need security isolation for these other domains.  Time will tell.

You've all been very helpful, thank you.  Hopefully MS will state in their documentation at some point in time that these trusts can't be altered so that other people don't have to go "I know it's automatically created when I create the object, but what can I do with the trust" any more :)



On 7/22/06, Grillenmeier, Guido <[EMAIL PROTECTED]> wrote:

        you might want to describe to us what your actual goal is for creating a non-fully trusted domain in your AD forst.  Maybe you can reach a similar goal by using the fairly powerful capabilities in AD to delegate administration of objects within a domain. You can also use these features to hide specific parts of AD from the rest of the organization and thus create a "semi-isolated" units within a single AD domain.

        Note that there is no way to fully isolate any objects within a domain or forest from domain or enterprise admins - if you do need full administrative isolation, you have to create multiple forests.

        /Guido

________________________________

        From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Almeida Pinto, Jorge de
        Sent: Saturday, July 22, 2006 12:45 AM


        To: ActiveDir@mail.activedir.org

        Subject: RE: [ActiveDir] Domain Trusts.



        1-yep
        2-yep


        Met vriendelijke groeten / Kind regards,
        Ing. Jorge de Almeida Pinto
        Senior Infrastructure Consultant
        MVP Windows Server - Directory Services

        LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
        (    Tel     : +31-(0)40-29.57.777
        (    Mobile : +31-(0)6- 26.26.62.80 <http://26.26.62.80/>
        *   E-mail : <see sender address>


________________________________

        From: [EMAIL PROTECTED] on behalf of Matt Hargraves
        Sent: Sat 2006-07-22 00:35
        To: ActiveDir@mail.activedir.org
        Subject: Re: [ActiveDir] Domain Trusts.


        So basically there's no way to have a domain in a forest that doesn't fully trust every other domain in the forest?

        The only way to have a non 2-way trust is to make a separate forest?



List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx