Using an existing AD domain (company.net), we need to add a child domain (untrusted.company.net) with a one-way trust. Testing in my lab, and the google searching that I have done seem to suggest that this is impossible to achieve as there is a default unchangeable two-way trust established when a child domain is created.
Does anyone know of a way to achieve this goal?
I know I could create a separate forest, but that has been nixed by my boss. The management at my company (boo… hiss..) requires this to be an actual child domain.
Details:
Existing domain and forest are 2008 functional level on 2008 r2 SP1 boxes.
Child domain will be on 2008 R2 SP1, and will start at a 2008 functional level.
Best Answer
A cross forest trust relationship is by definition impossible when the domains aren't in different forests.
You'll need to have a nice chat with the manager making that call and explain that those two requirements conflict, unfortunately.