WIn2003 Trust betwee domains, same forest is possible ?

[Magoo]

I have an important question:
Imagine I want to setup a separate domain to isolate "student" from "staff"
resources and provide different set of security policies.

On Win2003 AD, is possible and viable setup *two* domains, one way trust
under the *same* forest ?
I have conflicting information from two 'specialists'ne says that two
domains configured within the same AD forest will be setup as two way trusts
(and he implied that such trust cannot be setup one way as I wish).

Therefore he tells me that if I determine that two domains with an one way
trust between is required, I must setup two separate forests to accomodate
this need. Is this true ?

 

[Tomasz Onyszko [MVP]]

I have an important question:
Imagine I want to setup a separate domain to isolate "student" from "staff"
resources and provide different set of security policies.

On Win2003 AD, is possible and viable setup *two* domains, one way trust
under the *same* forest ?
I have conflicting information from two 'specialists'ne says that two
domains configured within the same AD forest will be setup as two way trusts
(and he implied that such trust cannot be setup one way as I wish).

Therefore he tells me that if I determine that two domains with an one way
trust between is required, I must setup two separate forests to accomodate
this need. Is this true ?

by defualt windows 2000/2003 inside of the forest creates two way
transitive trusts between domains and IMO it is not recommended to break
this trusts and replace them by one way trust.

And you hae to remember thath in AD world domain is no longer security
boundy, the forst is a boundry on which level you should separate
security entites from each other. Using two separated forests you can
have a good level of control on the access to resources including
selective authentication mechanism.

 

[Tomasz Onyszko [MVP]]

I have an important question:
Imagine I want to setup a separate domain to isolate "student" from "staff"
resources and provide different set of security policies.

On Win2003 AD, is possible and viable setup *two* domains, one way trust
under the *same* forest ?
I have conflicting information from two 'specialists'ne says that two
domains configured within the same AD forest will be setup as two way trusts
(and he implied that such trust cannot be setup one way as I wish).

Therefore he tells me that if I determine that two domains with an one way
trust between is required, I must setup two separate forests to accomodate
this need. Is this true ?

By deafult windows 200/2003 is creating two way transitive trusts
between the domains in the same forest and IMO it is not recommended to
break this trusts and replace them with one way, manually created trust.

You have to notice also that in AD domain is no longer security boundry,
the forest is the boundry on which You can build your security model and
separate two different security domains.
Using trusts between the forests you can have a greater level of control
on the resources which can be accessed (including also selective
authentication mechanism) and you can implement spearated security
policy for different part of your organisation.

So IMO two forests will be good solution for you.

 

[Tomasz Onyszko [MVP]]

Tomasz Onyszko [MVP] wrote:

Sorry for two posts with the same content - it's something with my
reader

 

[Magoo]

Thanks !

By deafult windows 200/2003 is creating two way transitive trusts
between the domains in the same forest and IMO it is not recommended to
break this trusts and replace them with one way, manually created trust.

You have to notice also that in AD domain is no longer security boundry,
the forest is the boundry on which You can build your security model and
separate two different security domains.
Using trusts between the forests you can have a greater level of control
on the resources which can be accessed (including also selective
authentication mechanism) and you can implement spearated security
policy for different part of your organisation.

So IMO two forests will be good solution for you.