Hiding domains in a multi domain forest

  • Thread starter Thread starter Mike Honeycutt, MCSE
  • Start date Start date
M

Mike Honeycutt, MCSE

I have a client (prospective) who wants to have multiple domains with in a single AD Forest. They do not want users in domain 1 to know domain 2 exists, and so on. Only at the top level do they want to have downward access or knowledge of the child domains.

Any thoughts on how to best accomplish this?
 
Technically I suppose this would be possible by hacking away at DNS SRV records and changing the registry so that a certain domain never appeared in the dropdown 'log on to' box, maybe UPN logons would help as well. But this is all beside the point as it doesn't sound like a very good idea at all. It's not the correct usage of the domain model which is all about sharing and providing access to information but denying access where necessary. I foresee lots of problems if you go down this route.
I have a client (prospective) who wants to have multiple domains with in a single AD Forest. They do not want users in domain 1 to know domain 2 exists, and so on. Only at the top level do they want to have downward access or knowledge of the child domains.

Any thoughts on how to best accomplish this?
 
That was my thought - However, it seems if they really want to do this it would be in a multi-domain model with trusts established only to the management domain?
 
It's not that easy I don't think. When you create a new domain a trust between the new domain and the forest root domain is automatically created and these trusts are of course transitive so the default behaviour in a three domain forest with the one root and two child domains would be for them all to 'know' about each other, which is of course the intended behaviour. I would tell your customer that what they want is not technically feasible and that the only way to have complete autonomy between domains is to have separate forests.
That was my thought - However, it seems if they really want to do this it would be in a multi-domain model with trusts established only to the management domain?
 
No this is not possible. Trying would be incomplete and merely result in
breaking things. I.E. If someone wanted, they could still find the info because
you can't block everything.

The domain info for the entire forest is maintained in the config container
which lives on every DC in the forest.

joe
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Multi forest and Citrix farm 1
Migration Domain 3
2 Forest in one network. Not able to connect domain 9
Rebuild Forest Root Domain Controller 3
Remove the Root Domain in the Forest 5
join an existing domain to an existing forest 1
upgrading domain/forest function level question 3
Raise Forest Functionality 6

Back
Top