To trust or not to trust???

Discussion in 'Active Directory' started by jmos, Nov 21, 2007.

  1. jmos

    jmos Guest

    We currently have two companies which need to merge but a difference of
    opinion and I could do with another view.

    As a standard practice I want to setup a trust between both forests so that
    resources can be easily accessed from each other domain without too much
    issue. This buys the IT depts from both sites time to align AD's over a 9
    month period.

    However, their IT dept don't want to do that as 'it's too much work' and
    'more complicated'. Thus their suggestion is that they send us a DC
    configured in their domain and we migrate our AD into a subset OU of theirs.

    Obviously block inheritance would be a must and both sets of Admins would
    have to have access at Domain Level.

    I'm not convinvced and want a more stable and stage approach to the merger
    of the two entities.

    Can anyone offer andy help or advice on this issue?

    Many Thanks

    jmos, Nov 21, 2007
    1. Advertisements

  2. Hi Jmos,
    The underlying issue is one of trust. Not AD trusts mind :)
    Do you trust the way the partner forest is managed? Looks like, from what
    I'm reading, they don't exactly trust you and want to delegate an OU in
    their forest for you to manage your resources in.

    I would have thought, if you had WS03 domains, that a forest trust would
    have been easier to setup/manage than a migration of your resources into an
    OU in their forest.
    Also, if you do do the migration to an OU in the partner forest, why should
    the migrated Admins be domain Admins? No need really. They can have
    delegated responsibilities at the OU level.

    There are no hard and fast technical reasons that determine which way you
    should go wrt their forest or yours.
    The political decision IMHO should be sorted out then the technical solution
    will follow.


    Austin Osuide, Nov 21, 2007
    1. Advertisements

  3. jmos

    Jorge Silva Guest

    I don't see how could be less complicated??
    In my opinion the easy way is to do the trust and migrate the objects.

    I hope that the information above helps you.
    Have a Nice day.

    Jorge Silva
    MCSE, MVP Directory Services
    Jorge Silva, Nov 21, 2007
  4. jmos

    jmos Guest

    Hi Austin,

    Firstly many thanks for the reply.

    There is a 'human trust' issue but I think that that is normal in any
    merger. Two IS managers , each trying to sus the other out! However, getting
    beyond that, as we are currently two distinct entites with different methods
    of working and as of yet we do not know what the ultimate network design
    should be then do you think setting AD trusts a 'sfaer' option whilst
    business parcatices align.

    To complicate matters a little both sites will be merging into one.
    Ultimately we will be moving to their location and with their planned
    infrastructure changes I don't want to place all our eggs in the one baskett
    as we do not know what interruptions to service might be.

    Your thoughts are greatly appreciated.
    jmos, Nov 22, 2007
  5. jmos

    jmos Guest

    Hi Jorge,

    This was my sentiment exactly.

    When you say migrate the objects I presume you mean into 'one domain'. At
    the moment we are separate forests and I belive that whilst we align our
    business processes over the coming months this will dictate whether or not we
    require a second domain or not.

    I also presume that two domains in the same forest is easier to amalgamate
    into one forest one domain archirtecture rather than from two distinct
    forests one being ripped apart and joined as a regional OU?

    As you can see we have yet to determine how our networks differ and are
    similar, what our working prcactices are and how best to meets the needs of
    both sides. Our AD is departmental based with a heavy emphasis on secuirty
    groups per project. This is more of a regulatory requirement. There's on the
    other hand is more liberal read access across their LAN.

    Adding a trust at this stage what would (if anything) be able to repliacte?
    I know that User A in Domain A could via secuirties access resources in
    Domain B and vice versa. What about Exchange and the synchronisation of data

    Your thoughts are greatly appreciated.

    jmos, Nov 22, 2007
  6. Hi Jmos,
    Clearly, you'd want to maintain your structured processes until you can get
    the other IS manager to understand why you do things the way you do.
    If your users require access to resources in the other forest, set up the
    forest trust.
    If and when their Forest has been aligned with yours you can then migrate
    either into your own domain or, if policies allow, into a single domain.
    You can use your regulatory requirements to insist on them have a tighter
    delegation model if you want.
    Main thing is, once the politics is sorted and all parties have a unified
    view of where you want to go and why, the AD design is pretty straight
    forward and follows on from the corporate objectives.


    Austin Osuide, Nov 22, 2007
  7. However, their IT dept don't want to do that as 'it's too much work' and
    come again? looking at the rest of the mail it looks like they do not want
    to put ANY effort into it. What a BS reason!
    To mention a few things:
    * it might give you issues during migration because this looks like a weird
    scenario. Weird scenarios always end up with stupid issues
    * DCs cannot be disconnected from other DCs in the AD forest for more then
    then tombstone lifetime. If it is, then the other guys will/might get a lot
    of headaches because of lingering objects
    * security...if I'm reading this one correctly they are giving one of their
    RWDCs to you guys while you guys will become data admins in some OU and will
    not ever manage the directory service as a service admin
    From your security perspective: accept the offer and by having a RWDC you
    can hack your way into the system because of you have physical access
    From their security perspective: kick the a$$ of the security officer and
    fire that guy! why? NEVER, NEVER, NEVER hand out a RWDC to someone that is
    not a trusted service admin (or is not a Domain Admin)

    Either I'm missing something, or someone does not understand the security of
    their AD in common....
    Jorge de Almeida Pinto [MVP - DS], Dec 28, 2007
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.