Security Basics mailing list archives
RE: AD Child Domains
From: "Rob McShinsky (Verizon)" <Rob () mcshinsky com>
Date: Thu, 24 Apr 2008 09:26:45 -0400
If password policies were the only reason they want to move to a separate domain, Windows Server 2008 will have the ability to set different password policies for subsets of users. As far as trusts, I would stick with a transitive trust between the two domains. If there would be any data sharing between the 2 domains i.e. file shares, applications that use AD for authentication etc..., this could get sticky with just a one way trust in one or the other direction. Rob McShinsky http://www.virtuallyware.net -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Raoul Armfield Sent: Wednesday, April 23, 2008 2:43 PM To: security-basics () securityfocus com Subject: AD Child Domains We are in the process of making a modification to our AD structure. For PCI compliance we need to segregate a portion of our users to a separate domain. This set of users do not need/want (and are very vocal about it) to follow the stricter password policy that PCI mandates. I understand that when you create a child domain it by default creates a two-way transitive trust between the two domains. Is it possible to limit this trust relationship to a one-way trust relationship? If this is possible it seems to me that it may be preferable to creating a new forest just for a couple of hundred users. Of course it is entirely possible that I am not thinking this through completely and am missing some important factors to consider. Your thoughts would be greatly appreciated. Raoul
Current thread:
- AD Child Domains Raoul Armfield (Apr 23)
- RE: AD Child Domains Sheldon Malm (Apr 24)
- RE: AD Child Domains Rhett Grant (Apr 24)
- Re: AD Child Domains pinowudi (Apr 24)
- RE: AD Child Domains Rob McShinsky (Verizon) (Apr 24)
- Re: AD Child Domains John Bailey (Apr 24)