RE: AD Child Domains
- From: "Rhett Grant" <rgrant@xxxxxxxxxxxxxxxx>
- Date: Wed, 23 Apr 2008 20:08:39 -0400
-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx
[mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of Raoul Armfield
Sent: Wednesday, April 23, 2008 2:43 PM
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: AD Child Domains
We are in the process of making a modification to our AD structure.
For
PCI compliance we need to segregate a portion of our users to a
separate
domain. This set of users do not need/want (and are very vocal about
it) to follow the stricter password policy that PCI mandates.
I understand that when you create a child domain it by default creates
a
two-way transitive trust between the two domains. Is it possible to
limit this trust relationship to a one-way trust relationship? If this
is possible it seems to me that it may be preferable to creating a new
forest just for a couple of hundred users.
Of course it is entirely possible that I am not thinking this through
completely and am missing some important factors to consider. Your
thoughts would be greatly appreciated.
Raoul
There is no way (that I know of) to selectively configure the transitive
trust established between a parent/child domain. I am not fully
understanding what you are trying to accomplish other than using a separate
password policy which a child domain will allow. Only use a separate forest
to meet a security need. And again I would be evaluating if it could be
done with a DACL. It becomes much more complicated and time consuming to
manage two forests then to manage a parent/child Domain.
- References:
- AD Child Domains
- From: Raoul Armfield
- AD Child Domains
- Prev by Date: Re: Setting up mail server(s) ?
- Next by Date: Re: AD Child Domains
- Previous by thread: RE: AD Child Domains
- Next by thread: Re: AD Child Domains
- Index(es):
Relevant Pages
|
