AD cross forest trust logon workstations

active-directorywindows-server-2008-r2windows-server-2012-r2

Our business unit has been bought out by an external entity.

We are running 2008 R2 AD, they are running 2012 AD, the domains are not joined or trusted.

They have servers including domain controllers in their head office data centre (domain A).

We have a domain controller here (domain B). We are now considered overseas from the HQ (domain A).

Both sites are linked via a VPN and all servers can contact one another, in fact they built a DC to run in our office that is in our network (but doesn't currently talk to domain B's DC, it syncs to it's primary domain A DC over the VPN).

Question – What would we need to do (on workstations and servers) to:

  1. Allow users from domain A HQ to log in to workstations at their new overseas office (domain B joined workstations) with their normal domain A credentials

  2. Still allow the existing domain B users to log in and use their workstations as usual (existing domain B active directory accounts can use domain B workstations as before)?

If using a trust does this need to be single direction or bidirectional? Is it just a case of adding a trust and that's it or does anything need to be configured on workstations or group policy?

Best Answer

Joe's got the right answer (and should have posted it as an answer.)

You'll need at least a one-way trust, with domain B trusting domain A. That way, domain A users can login to domain B workstations (requirement 1).

A trust will not, in any way, affect how domain B users continue to login to domain B workstations, so you don't have to do anything for requirement 2.

You should read up on this, and also start talking with the IT department of the company that has bought your business unit to determine immediate and longer-term business requirements. To forestall some potential confusion here's some important related info.

  1. You can't add your domain to their forest.
  2. A two-way trust is required for domain B users login to domain A workstations, not a stated requirement but a likely next question.
  3. You can migrate workstations, servers, and users (and other things, like Exchange, Sharepoint, etc) from your domain into their forest, using ADMT or a 3rd party tool.

Edit - Joe also makes a good point about what to expect re: GPO behavior. Really, as I said above, you should do some serious research on this. There's all kinds of implications, technical and organizational, especially if you're in a business that falls under any kind of privacy regulations - PCI, HIPAA, SOX, many many others.

Related Topic