Hiding domains in a multi domain forest

  • Thread starter Mike Honeycutt, MCSE
  • Start date
M

Mike Honeycutt, MCSE

I have a client (prospective) who wants to have multiple domains with in a single AD Forest. They do not want users in domain 1 to know domain 2 exists, and so on. Only at the top level do they want to have downward access or knowledge of the child domains.

Any thoughts on how to best accomplish this?
 
S

Simon Geary

Technically I suppose this would be possible by hacking away at DNS SRV records and changing the registry so that a certain domain never appeared in the dropdown 'log on to' box, maybe UPN logons would help as well. But this is all beside the point as it doesn't sound like a very good idea at all. It's not the correct usage of the domain model which is all about sharing and providing access to information but denying access where necessary. I foresee lots of problems if you go down this route.
I have a client (prospective) who wants to have multiple domains with in a single AD Forest. They do not want users in domain 1 to know domain 2 exists, and so on. Only at the top level do they want to have downward access or knowledge of the child domains.

Any thoughts on how to best accomplish this?
 
M

Mike Honeycutt, MCSE

That was my thought - However, it seems if they really want to do this it would be in a multi-domain model with trusts established only to the management domain?
 
S

Simon Geary

It's not that easy I don't think. When you create a new domain a trust between the new domain and the forest root domain is automatically created and these trusts are of course transitive so the default behaviour in a three domain forest with the one root and two child domains would be for them all to 'know' about each other, which is of course the intended behaviour. I would tell your customer that what they want is not technically feasible and that the only way to have complete autonomy between domains is to have separate forests.
That was my thought - However, it seems if they really want to do this it would be in a multi-domain model with trusts established only to the management domain?
 
J

Joe Richards [MVP]

No this is not possible. Trying would be incomplete and merely result in
breaking things. I.E. If someone wanted, they could still find the info because
you can't block everything.

The domain info for the entire forest is maintained in the config container
which lives on every DC in the forest.

joe
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top