RE: AD Child Domains

["Rob McShinsky (Verizon)" <Rob () mcshinsky com>]

If password policies were the only reason they want to move to a separate
domain, Windows Server 2008 will have the ability to set different password
policies for subsets of users. As far as trusts, I would stick with a
transitive trust between the two domains.  If there would be any data
sharing between the 2 domains i.e. file shares, applications that use AD for
authentication etc..., this could get sticky with just a one way trust in
one or the other direction. 

Rob McShinsky
http://www.virtuallyware.net

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Raoul Armfield
Sent: Wednesday, April 23, 2008 2:43 PM
To: security-basics () securityfocus com
Subject: AD Child Domains

We are in the process of making a modification to our AD structure.  For 
PCI compliance we need to segregate a portion of our users to a separate 
domain.  This set of users do not need/want (and are very vocal about 
it) to follow the stricter password policy that PCI mandates.

I understand that when you create a child domain it by default creates a 
two-way transitive trust between the two domains.  Is it possible to 
limit this trust relationship to a one-way trust relationship?  If this 
is possible it seems to me that it may be preferable to creating a new 
forest just for a couple of hundred users.

Of course it is entirely possible that I am not thinking this through 
completely and am missing some important factors to consider.  Your 
thoughts would be greatly appreciated.

Raoul