AD Child Domains

[Raoul Armfield <armfield () amnh org>]

We are in the process of making a modification to our AD structure.  For 
PCI compliance we need to segregate a portion of our users to a separate 
domain.  This set of users do not need/want (and are very vocal about 
it) to follow the stricter password policy that PCI mandates.

I understand that when you create a child domain it by default creates a 
two-way transitive trust between the two domains.  Is it possible to 
limit this trust relationship to a one-way trust relationship?  If this 
is possible it seems to me that it may be preferable to creating a new 
forest just for a couple of hundred users.

Of course it is entirely possible that I am not thinking this through 
completely and am missing some important factors to consider.  Your 
thoughts would be greatly appreciated.

Raoul