| Author | Messages | |
jdmanley
Posts:76
 | | 10/26/2009 6:29 PM |
| Sorry for being off-topic (well at least it's still AD related), but I've been unsuccessful in searching for the benefits of a two-way trust vs. a one-way trust (target retains access to resources in source) vs. no trusts. Is anyone familiar enough with the Quest Migration tools to offer some insight? I've always had two-way trusts in previous migrations, so this is the first time this has come up.
Thanks!
John
| | | |
| laurahcomputing
Posts:148
| | 10/26/2009 7:12 PM |
| QMM won't work at all without a trust in place, same as ADMT.
As for one-way/two-way requirements? I've only ever done it with 2-way
trusts simply from a convenience standpoint, since in most cases you're
doing migrations that need to perform operations on both sides of the fence
- create the object in new and then disable it in old, for example.
Somebody invoke a Summoning spell on Bob Bobel, or something. :-)
On Mon, Oct 26, 2009 at 2:28 PM, John Manley <john.manley@avanade.com>wrote:
> Sorry for being off-topic (well at least it’s still AD related), but
> I’ve been unsuccessful in searching for the benefits of a two-way trust vs.
> a one-way trust (target retains access to resources in source) vs. no
> trusts. Is anyone familiar enough with the Quest Migration tools to offer
> some insight? I’ve always had two-way trusts in previous migrations, so this
> is the first time this has come up.
>
>
>
> Thanks!
>
>
>
> John
>
>
--
-----------------------
Laura E. Hunter
Blog: http://www.shutuplaura.com
Microsoft MVP, Directory Services (
https://mvp.support.microsoft.com/profile/laura)
Author, Active Directory Consultant's Field Guide (http://tinyurl.com/7f8ll)
Author, Active Directory Cookbook, Third Edition (http://tinyurl.com/7kp3ct)
| | | |
| RickSheikh
Posts:373
| | 10/26/2009 7:19 PM |
| Regarding using ADMT, I thought that even when you opt not to disable the
object in source domain, the two-way trust is required. ??
On Mon, Oct 26, 2009 at 2:10 PM, Laura E. Hunter
<laurahcomputing@gmail.com>wrote:
> QMM won't work at all without a trust in place, same as ADMT.
>
> As for one-way/two-way requirements? I've only ever done it with 2-way
> trusts simply from a convenience standpoint, since in most cases you're
> doing migrations that need to perform operations on both sides of the fence
> - create the object in new and then disable it in old, for example.
>
> Somebody invoke a Summoning spell on Bob Bobel, or something. :-)
>
> On Mon, Oct 26, 2009 at 2:28 PM, John Manley <john.manley@avanade.com>wrote:
>
>> Sorry for being off-topic (well at least it’s still AD related), but
>> I’ve been unsuccessful in searching for the benefits of a two-way trust vs.
>> a one-way trust (target retains access to resources in source) vs. no
>> trusts. Is anyone familiar enough with the Quest Migration tools to offer
>> some insight? I’ve always had two-way trusts in previous migrations, so this
>> is the first time this has come up.
>>
>>
>>
>> Thanks!
>>
>>
>>
>> John
>>
>>
>
>
> --
> -----------------------
> Laura E. Hunter
> Blog: http://www.shutuplaura.com
> Microsoft MVP, Directory Services (
> https://mvp.support.microsoft.com/profile/laura<https://mvp.support.microsoft..com/profile/laura>
> )
> Author, Active Directory Consultant's Field Guide (
> http://tinyurl.com/7f8ll)
> Author, Active Directory Cookbook, Third Edition (
> http://tinyurl.com/7kp3ct <http://tinyurl..com/7kp3ct>
>
| | | |
| Tony
Posts:152
| | 10/26/2009 7:58 PM |
| Hi John
Have a look at the Best Practices document for QMM 8.4. It has a section on
how to perform the migration without trusts. Also look at Appendices 2 and
3.
If you have access to the Quest support site, have a look at SOL14265.
The bottom line is that it is possible. Whenever I've used QMM I've had the
luxury of a 2 way trust and this seems to be the strongly recommended
approach.
Tony
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of John Manley
Sent: Tuesday, 27 October 2009 7:29 a.m.
To: activedir@mail.activedir.org
Subject: [ActiveDir] [OT] AD migration - trust pros/cons with QMM?
Sensitivity: Confidential
Sorry for being off-topic (well at least it's still AD related), but I've
been unsuccessful in searching for the benefits of a two-way trust vs. a
one-way trust (target retains access to resources in source) vs. no trusts.
Is anyone familiar enough with the Quest Migration tools to offer some
insight? I've always had two-way trusts in previous migrations, so this is
the first time this has come up.
Thanks!
John
| | | |
| jdmanley
Posts:76
| | 10/26/2009 8:20 PM |
| Thanks for the responses. I've looked at those docs already but they don't mention anything about pros/cons of going with any of the routes (2-way, 1-way, or no trust). They simply say it's possible and that they recommend a 2-way, however a recommendation isn't good enough to convince the powers that be. :/
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Tony Murray
Sent: Monday, October 26, 2009 12:56 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] AD migration - trust pros/cons with QMM?
Sensitivity: Confidential
Hi John
Have a look at the Best Practices document for QMM 8.4. It has a section on how to perform the migration without trusts. Also look at Appendices 2 and 3.
If you have access to the Quest support site, have a look at SOL14265.
The bottom line is that it is possible. Whenever I've used QMM I've had the luxury of a 2 way trust and this seems to be the strongly recommended approach.
Tony
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of John Manley
Sent: Tuesday, 27 October 2009 7:29 a.m.
To: activedir@mail.activedir.org
Subject: [ActiveDir] [OT] AD migration - trust pros/cons with QMM?
Sensitivity: Confidential
Sorry for being off-topic (well at least it's still AD related), but I've been unsuccessful in searching for the benefits of a two-way trust vs. a one-way trust (target retains access to resources in source) vs. no trusts. Is anyone familiar enough with the Quest Migration tools to offer some insight? I've always had two-way trusts in previous migrations, so this is the first time this has come up.
Thanks!
John
| | | |
| barkills
Posts:214
| | 10/26/2009 10:08 PM |
| Nope, 2 way trust is NOT required for ADMT; I've done several 1 way trust ADMT migrations.
And with regard to Laura's assertion, just because you are doing operations in two separate domains or forests, doesn't mean you need a 2 way trust. If the account which does the operation is in the target domain, the source domain trusts the target, and the account has the right perms in both domains, then no problem.
Heck, you probably don't even need a trust between the two domains involved--you could have a third domain which both of the two domains trusted, and use an account from that domain to do the migration operations. Of course, I've never tried that myself--just bringing it up to emphasize my point.
I've never used the Quest tools, so I can't say anything about them, beside to say that I'm cheap, and that they should have the same ability.
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Rick Sheikh
Sent: Monday, October 26, 2009 12:19 PM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] [OT] AD migration - trust pros/cons with QMM?
Regarding using ADMT, I thought that even when you opt not to disable the object in source domain, the two-way trust is required. ??
On Mon, Oct 26, 2009 at 2:10 PM, Laura E. Hunter <laurahcomputing@gmail.com<mailto:laurahcomputing@gmail.com>> wrote:
QMM won't work at all without a trust in place, same as ADMT.
As for one-way/two-way requirements? I've only ever done it with 2-way trusts simply from a convenience standpoint, since in most cases you're doing migrations that need to perform operations on both sides of the fence - create the object in new and then disable it in old, for example.
Somebody invoke a Summoning spell on Bob Bobel, or something. :-)
On Mon, Oct 26, 2009 at 2:28 PM, John Manley <john.manley@avanade.com<mailto:john.manley@avanade.com>> wrote:
Sorry for being off-topic (well at least it's still AD related), but I've been unsuccessful in searching for the benefits of a two-way trust vs. a one-way trust (target retains access to resources in source) vs. no trusts. Is anyone familiar enough with the Quest Migration tools to offer some insight? I've always had two-way trusts in previous migrations, so this is the first time this has come up.
Thanks!
John
--
-----------------------
Laura E. Hunter
Blog: http://www.shutuplaura.com
Microsoft MVP, Directory Services (https://mvp.support.microsoft.com/profile/laura<https://mvp.support.microsoft...com/profile/laura>
Author, Active Directory Consultant's Field Guide (http://tinyurl.com/7f8ll)
Author, Active Directory Cookbook, Third Edition (http://tinyurl.com/7kp3ct<http://tinyurl...com/7kp3ct>
| | | |
| bdesmond
Posts:996
| | 10/27/2009 1:55 AM |
| You don't need any form of trust to use ADMT. I've done it a number of times this way. There's some extra setup work involved but it's functionally equivalent.
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Brian Arkills
Sent: Monday, October 26, 2009 5:05 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] AD migration - trust pros/cons with QMM?
Nope, 2 way trust is NOT required for ADMT; I've done several 1 way trust ADMT migrations.
And with regard to Laura's assertion, just because you are doing operations in two separate domains or forests, doesn't mean you need a 2 way trust. If the account which does the operation is in the target domain, the source domain trusts the target, and the account has the right perms in both domains, then no problem.
Heck, you probably don't even need a trust between the two domains involved--you could have a third domain which both of the two domains trusted, and use an account from that domain to do the migration operations.. Of course, I've never tried that myself--just bringing it up to emphasize my point.
I've never used the Quest tools, so I can't say anything about them, beside to say that I'm cheap, and that they should have the same ability.
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Rick Sheikh
Sent: Monday, October 26, 2009 12:19 PM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] [OT] AD migration - trust pros/cons with QMM?
Regarding using ADMT, I thought that even when you opt not to disable the object in source domain, the two-way trust is required. ??
On Mon, Oct 26, 2009 at 2:10 PM, Laura E. Hunter <laurahcomputing@gmail.com<mailto:laurahcomputing@gmail.com>> wrote:
QMM won't work at all without a trust in place, same as ADMT.
As for one-way/two-way requirements? I've only ever done it with 2-way trusts simply from a convenience standpoint, since in most cases you're doing migrations that need to perform operations on both sides of the fence - create the object in new and then disable it in old, for example.
Somebody invoke a Summoning spell on Bob Bobel, or something. :-)
On Mon, Oct 26, 2009 at 2:28 PM, John Manley <john.manley@avanade.com<mailto:john.manley@avanade.com>> wrote:
Sorry for being off-topic (well at least it's still AD related), but I've been unsuccessful in searching for the benefits of a two-way trust vs. a one-way trust (target retains access to resources in source) vs. no trusts. Is anyone familiar enough with the Quest Migration tools to offer some insight? I've always had two-way trusts in previous migrations, so this is the first time this has come up.
Thanks!
John
--
-----------------------
Laura E. Hunter
Blog: http://www.shutuplaura.com
Microsoft MVP, Directory Services (https://mvp.support.microsoft.com/profile/laura<https://mvp.support.microsoft...com/profile/laura>
Author, Active Directory Consultant's Field Guide (http://tinyurl.com/7f8ll)
Author, Active Directory Cookbook, Third Edition (http://tinyurl.com/7kp3ct<http://tinyurl...com/7kp3ct>
| | | |
| neil.ruston@credit-suisse.com
Posts:0
| | 10/27/2009 9:50 AM |
| Is your question:
1. What are the trust requirements of QMM? or
2. What are the benefits and requirements of one-way and two-way
trusts?
Or both?
neil
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of John Manley
Sent: 26 October 2009 18:29
To: activedir@mail.activedir.org
Subject: [ActiveDir] [OT] AD migration - trust pros/cons with QMM?
Sensitivity: Confidential
Sorry for being off-topic (well at least it's still AD related),
but I've been unsuccessful in searching for the benefits of a two-way
trust vs. a one-way trust (target retains access to resources in source)
vs. no trusts. Is anyone familiar enough with the Quest Migration tools
to offer some insight? I've always had two-way trusts in previous
migrations, so this is the first time this has come up.
Thanks!
John
===============================================================================
Please access the attached hyperlink for an important electronic communications disclaimer:
http://www.credit-suisse.com/legal/en/disclaimer_email_ib.html
===============================================================================
| | | |
| jdmanley
Posts:76
| | 10/27/2009 4:19 PM |
| Really I'm looking for the benefits (if any) that a two-way trust offers over a 1-way, so #2. I'm already aware we could skip QMM/ADMT and use a combination of a SID mapping file, subInACL, netdom, and Access to get the same results, but that's not easily managed with 12,000 users. At least not in this environment J
Thanks,
John
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Ruston, Neil
Sent: Tuesday, October 27, 2009 2:49 AM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] AD migration - trust pros/cons with QMM?
Sensitivity: Confidential
Is your question:
1. What are the trust requirements of QMM? or
2. What are the benefits and requirements of one-way and two-way trusts?
Or both?
neil
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of John Manley
Sent: 26 October 2009 18:29
To: activedir@mail.activedir.org
Subject: [ActiveDir] [OT] AD migration - trust pros/cons with QMM?
Sensitivity: Confidential
Sorry for being off-topic (well at least it's still AD related), but I've been unsuccessful in searching for the benefits of a two-way trust vs. a one-way trust (target retains access to resources in source) vs. no trusts. Is anyone familiar enough with the Quest Migration tools to offer some insight? I've always had two-way trusts in previous migrations, so this is the first time this has come up.
Thanks!
John
==============================================================================
Please access the attached hyperlink for an important electronic communications disclaimer:
http://www.credit-suisse.com/legal/en/disclaimer_email_ib.html
==============================================================================
| | | |
| barkills
Posts:214
| | 10/27/2009 5:06 PM |
| I've done both 2-way and 1-way trust domain migrations.
The thing that sticks out between the two was that with a 2-way trust migration, you could migrate workstations or servers in whatever order met your purposes (assuming you didn't reACL migrated servers until after all the workstations were migrated). With a 1-way trust migration, you pretty much have to migrate all the workstations, then start on the servers. This assumes that you aren't willing to tell clients to login with the "new" domain user accounts while their workstations are still in the "old" domain. I've never been willing to do that myself, because it is confusing to the clients.
The reason behind the strict ordering for the 1-way trust migration scenario is that if you move servers before all workstations, then either you have to have the clients start using the "new" domain user accounts while their workstations are still in the "old" domain or the users have to know to use both sets of user accounts.
A lot of domain migration is figuring out dependencies, timing, and logistics. And a 1-way trust makes that harder. But a 1-way trust also comes with security benefits if the domain you are migrating away from doesn't have the best management practices. So if you have a choice, you have to weigh those intangibles against each other.
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of John Manley
Sent: Tuesday, October 27, 2009 9:17 AM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] AD migration - trust pros/cons with QMM?
Sensitivity: Confidential
Really I'm looking for the benefits (if any) that a two-way trust offers over a 1-way, so #2. I'm already aware we could skip QMM/ADMT and use a combination of a SID mapping file, subInACL, netdom, and Access to get the same results, but that's not easily managed with 12,000 users. At least not in this environment 
Thanks,
John
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Ruston, Neil
Sent: Tuesday, October 27, 2009 2:49 AM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] AD migration - trust pros/cons with QMM?
Sensitivity: Confidential
Is your question:
1. What are the trust requirements of QMM? or
2. What are the benefits and requirements of one-way and two-way trusts?
Or both?
neil
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of John Manley
Sent: 26 October 2009 18:29
To: activedir@mail.activedir.org
Subject: [ActiveDir] [OT] AD migration - trust pros/cons with QMM?
Sensitivity: Confidential
Sorry for being off-topic (well at least it's still AD related), but I've been unsuccessful in searching for the benefits of a two-way trust vs. a one-way trust (target retains access to resources in source) vs. no trusts. Is anyone familiar enough with the Quest Migration tools to offer some insight? I've always had two-way trusts in previous migrations, so this is the first time this has come up.
Thanks!
John
==============================================================================
Please access the attached hyperlink for an important electronic communications disclaimer:
http://www.credit-suisse.com/legal/en/disclaimer_email_ib.html
==============================================================================
| | | |
| bdesmond
Posts:996
| | 10/27/2009 5:14 PM |
| Also you can force the migration along by being selective with your trusts. These migration projects have a way of never ending, and if you make it convenient for them to never end (e.g. convenient trusts), people will take advantage of your generosity and find ways to make the project last a little longer.
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Brian Arkills
Sent: Tuesday, October 27, 2009 12:06 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] AD migration - trust pros/cons with QMM?
Sensitivity: Confidential
I've done both 2-way and 1-way trust domain migrations.
The thing that sticks out between the two was that with a 2-way trust migration, you could migrate workstations or servers in whatever order met your purposes (assuming you didn't reACL migrated servers until after all the workstations were migrated). With a 1-way trust migration, you pretty much have to migrate all the workstations, then start on the servers. This assumes that you aren't willing to tell clients to login with the "new" domain user accounts while their workstations are still in the "old" domain. I've never been willing to do that myself, because it is confusing to the clients.
The reason behind the strict ordering for the 1-way trust migration scenario is that if you move servers before all workstations, then either you have to have the clients start using the "new" domain user accounts while their workstations are still in the "old" domain or the users have to know to use both sets of user accounts.
A lot of domain migration is figuring out dependencies, timing, and logistics. And a 1-way trust makes that harder. But a 1-way trust also comes with security benefits if the domain you are migrating away from doesn't have the best management practices. So if you have a choice, you have to weigh those intangibles against each other.
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of John Manley
Sent: Tuesday, October 27, 2009 9:17 AM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] AD migration - trust pros/cons with QMM?
Sensitivity: Confidential
Really I'm looking for the benefits (if any) that a two-way trust offers over a 1-way, so #2. I'm already aware we could skip QMM/ADMT and use a combination of a SID mapping file, subInACL, netdom, and Access to get the same results, but that's not easily managed with 12,000 users. At least not in this environment
Thanks,
John
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Ruston, Neil
Sent: Tuesday, October 27, 2009 2:49 AM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] AD migration - trust pros/cons with QMM?
Sensitivity: Confidential
Is your question:
1. What are the trust requirements of QMM? or
2. What are the benefits and requirements of one-way and two-way trusts?
Or both?
neil
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of John Manley
Sent: 26 October 2009 18:29
To: activedir@mail.activedir.org
Subject: [ActiveDir] [OT] AD migration - trust pros/cons with QMM?
Sensitivity: Confidential
Sorry for being off-topic (well at least it's still AD related), but I've been unsuccessful in searching for the benefits of a two-way trust vs. a one-way trust (target retains access to resources in source) vs. no trusts. Is anyone familiar enough with the Quest Migration tools to offer some insight? I've always had two-way trusts in previous migrations, so this is the first time this has come up.
Thanks!
John
==============================================================================
Please access the attached hyperlink for an important electronic communications disclaimer:
http://www.credit-suisse.com/legal/en/disclaimer_email_ib.html
==============================================================================
| | | |
| GuidoG
Posts:114
| | 10/27/2009 8:15 PM |
| I find it interesting to see so many answers to your question, with so little input to your migration scenario. There is a reason for when you need the one or the other approach, i.e. one way, two way trust or no trust at all - and something that might be a "pro" to one scenario, might be a "con" for another scenario.
/Guido
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of John Manley
Sent: Dienstag, 27. Oktober 2009 17:17
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] AD migration - trust pros/cons with QMM?
Sensitivity: Confidential
Really I'm looking for the benefits (if any) that a two-way trust offers over a 1-way, so #2. I'm already aware we could skip QMM/ADMT and use a combination of a SID mapping file, subInACL, netdom, and Access to get the same results, but that's not easily managed with 12,000 users. At least not in this environment
Thanks,
John
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Ruston, Neil
Sent: Tuesday, October 27, 2009 2:49 AM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] AD migration - trust pros/cons with QMM?
Sensitivity: Confidential
Is your question:
1. What are the trust requirements of QMM? or
2. What are the benefits and requirements of one-way and two-way trusts?
Or both?
neil
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of John Manley
Sent: 26 October 2009 18:29
To: activedir@mail.activedir.org
Subject: [ActiveDir] [OT] AD migration - trust pros/cons with QMM?
Sensitivity: Confidential
Sorry for being off-topic (well at least it's still AD related), but I've been unsuccessful in searching for the benefits of a two-way trust vs. a one-way trust (target retains access to resources in source) vs. no trusts. Is anyone familiar enough with the Quest Migration tools to offer some insight? I've always had two-way trusts in previous migrations, so this is the first time this has come up.
Thanks!
John
==============================================================================
Please access the attached hyperlink for an important electronic communications disclaimer:
http://www.credit-suisse.com/legal/en/disclaimer_email_ib.html
==============================================================================
| | | |
| LeslieTyson
Posts:15
| | 10/28/2009 3:46 AM |
| We've done several migrations using the Quest tools, and when the question about trusts comes up, the answer is pretty straight forward. The migrations we've done have always been either to consolidate/collapse a domain, or to move users from a domain that belongs to a company that was acquired by us. In both cases, *all* users will be moved to the target (parent-company), so the matter of trusting the users and administrators is moot; the Domain Admins for the parent company (new domain) will have access to all objects when the process is done, and all users belong to the same company. A two-way trust has always been set up so that during migration the following capabilities are present:
- The migration order does not have to be pre-determined, and may be adjusted for specific pieces (workstation / servers) as is required
- Access can be provided to resources in either domain during the migration, for users in either domain.
The second reason has always been the big business driver - the business is always keen to get people working together ASAP, and isn't always patient enough to wait until the migration is complete. With a two-way trust, we can provide access to resources on either side, at any point.
HTH,
Tyson.
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of John Manley
Sent: October-27-09 10:17 AM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] AD migration - trust pros/cons with QMM?
Sensitivity: Confidential
Really I'm looking for the benefits (if any) that a two-way trust offers over a 1-way, so #2. I'm already aware we could skip QMM/ADMT and use a combination of a SID mapping file, subInACL, netdom, and Access to get the same results, but that's not easily managed with 12,000 users. At least not in this environment
Thanks,
John
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Ruston, Neil
Sent: Tuesday, October 27, 2009 2:49 AM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] AD migration - trust pros/cons with QMM?
Sensitivity: Confidential
Is your question:
1. What are the trust requirements of QMM? or
2. What are the benefits and requirements of one-way and two-way trusts?
Or both?
neil
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of John Manley
Sent: 26 October 2009 18:29
To: activedir@mail.activedir.org
Subject: [ActiveDir] [OT] AD migration - trust pros/cons with QMM?
Sensitivity: Confidential
Sorry for being off-topic (well at least it's still AD related), but I've been unsuccessful in searching for the benefits of a two-way trust vs. a one-way trust (target retains access to resources in source) vs. no trusts. Is anyone familiar enough with the Quest Migration tools to offer some insight? I've always had two-way trusts in previous migrations, so this is the first time this has come up.
Thanks!
John
==============================================================================
Please access the attached hyperlink for an important electronic communications disclaimer:
http://www.credit-suisse.com/legal/en/disclaimer_email_ib.html
==============================================================================
| | | |
| RickSheikh
Posts:373
| | 10/28/2009 4:16 PM |
| I agree that in a domain consolidation / AD Migration project, trusts
streamline the integration of the business lines in respect to the resource
access, but as Brian D. alluded to, often times the convenience the trusts
bring end up hurting your adoption for good access control model in
multi-domain environment such as AGDLP, where precedence has already been
set with most access technically permissible across the domain boundry
(notwithstanding to the groups nesting restrictions), and also often stand
up in the way of collapsing domains where the said change is only desired by
you as an AD Admin but business does not truly deem it necessary.
On Tue, Oct 27, 2009 at 10:44 PM, Leslie, Tyson (Calgary) <
Tyson.Leslie@worleyparsons.com> wrote:
> We’ve done several migrations using the Quest tools, and when the
> question about trusts comes up, the answer is pretty straight forward. The
> migrations we’ve done have always been either to consolidate/collapse a
> domain, or to move users from a domain that belongs to a company that was
> acquired by us. In both cases, **all** users will be moved to the target
> (parent-company), so the matter of trusting the users and administrators is
> moot; the Domain Admins for the parent company (new domain) will have access
> to all objects when the process is done, and all users belong to the same
> company. A two-way trust has always been set up so that during migration
> the following capabilities are present:
>
> - The migration order does not have to be pre-determined, and may
> be adjusted for specific pieces (workstation / servers) as is required
>
> - Access can be provided to resources in either domain during the
> migration, for users in either domain.
>
>
>
> The second reason has always been the big business driver – the business is
> always keen to get people working together ASAP, and isn’t always patient
> enough to wait until the migration is complete. With a two-way trust, we
> can provide access to resources on either side, at any point.
>
>
>
> HTH,
>
>
>
> Tyson.
>
>
>
> *From:* activedir-owner@mail.activedir.org [mailto:
> activedir-owner@mail.activedir.org] *On Behalf Of *John Manley
> *Sent:* October-27-09 10:17 AM
>
> *To:* activedir@mail.activedir.org
> *Subject:* RE: [ActiveDir] [OT] AD migration - trust pros/cons with QMM?
> *Sensitivity:* Confidential
>
>
>
> Really I’m looking for the benefits (if any) that a two-way trust offers
> over a 1-way, so #2. I’m already aware we could skip QMM/ADMT and use a
> combination of a SID mapping file, subInACL, netdom, and Access to get the
> same results, but that’s not easily managed with 12,000 users. At least not
> in this environment J
>
> Thanks,
>
>
>
> John
>
>
>
> *From:* activedir-owner@mail.activedir.org [mailto:
> activedir-owner@mail.activedir.org] *On Behalf Of *Ruston, Neil
> *Sent:* Tuesday, October 27, 2009 2:49 AM
> *To:* activedir@mail.activedir.org
> *Subject:* RE: [ActiveDir] [OT] AD migration - trust pros/cons with QMM?
> *Sensitivity:* Confidential
>
>
>
> Is your question:
>
> 1. What are the trust requirements of QMM? or
>
> 2. What are the benefits and requirements of one-way and two-way
> trusts?
>
>
>
> Or both?
>
>
>
> neil
>
>
>
> *From:* activedir-owner@mail.activedir.org [mailto:
> activedir-owner@mail.activedir.org] *On Behalf Of *John Manley
> *Sent:* 26 October 2009 18:29
> *To:* activedir@mail.activedir.org
> *Subject:* [ActiveDir] [OT] AD migration - trust pros/cons with QMM?
> *Sensitivity:* Confidential
>
>
>
> Sorry for being off-topic (well at least it’s still AD related), but I’ve
> been unsuccessful in searching for the benefits of a two-way trust vs. a
> one-way trust (target retains access to resources in source) vs. no trusts.
> Is anyone familiar enough with the Quest Migration tools to offer some
> insight? I’ve always had two-way trusts in previous migrations, so this is
> the first time this has come up.
>
>
>
> Thanks!
>
>
>
> John
>
>
>
>
> ==============================================================================
> Please access the attached hyperlink for an important electronic
> communications disclaimer:
> http://www.credit-suisse.com/legal/en/disclaimer_email_ib.html
>
> ==============================================================================
>
>
>
| | | |
| barkills
Posts:214
| | 10/28/2009 4:35 PM |
| Yeah, in the corporate environment, I imagine it is more straightforward--although I'm sure there are scenarios where it isn't. But fortunately, we don't all work in the corporate environment.
Some of us work in environments where there *isn't* a single point of IT authority, but there may be a central IT department. And from that starting point, you can extrapolate that there often end up being as many Windows domains as there are departments which would like control of their own destiny.. Of course, each of these departments has different account practices. And then sometimes those departments change direction and want to collapse domains.
And what I've just described is the environment at any medium to large university.
In such an environment, domain trusts are typically 1 way, where most folks are willing to trust the central IT department, but very few are willing to trust department domains. And for good reason--those department domains generally have a higher rate of domain compromise (i.e. the DCs getting compromised), and not as much deliberation around their account practices.
So in such a scenario, you do want to encourage people to get rid of those department domains, but you don't want to trust those domains any more than you have to.
Anyhow, I figure that exposing more details about background is generally helpful so folks know that things don't always work the way they've experienced. So no hard feeling intended--I'm just trying to expand our horizons.
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Leslie, Tyson (Calgary)
Sent: Tuesday, October 27, 2009 8:45 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] AD migration - trust pros/cons with QMM?
Sensitivity: Confidential
We've done several migrations using the Quest tools, and when the question about trusts comes up, the answer is pretty straight forward. The migrations we've done have always been either to consolidate/collapse a domain, or to move users from a domain that belongs to a company that was acquired by us. In both cases, *all* users will be moved to the target (parent-company), so the matter of trusting the users and administrators is moot; the Domain Admins for the parent company (new domain) will have access to all objects when the process is done, and all users belong to the same company. A two-way trust has always been set up so that during migration the following capabilities are present:
- The migration order does not have to be pre-determined, and may be adjusted for specific pieces (workstation / servers) as is required
- Access can be provided to resources in either domain during the migration, for users in either domain.
The second reason has always been the big business driver - the business is always keen to get people working together ASAP, and isn't always patient enough to wait until the migration is complete. With a two-way trust, we can provide access to resources on either side, at any point.
HTH,
Tyson.
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of John Manley
Sent: October-27-09 10:17 AM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] AD migration - trust pros/cons with QMM?
Sensitivity: Confidential
Really I'm looking for the benefits (if any) that a two-way trust offers over a 1-way, so #2. I'm already aware we could skip QMM/ADMT and use a combination of a SID mapping file, subInACL, netdom, and Access to get the same results, but that's not easily managed with 12,000 users. At least not in this environment
Thanks,
John
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Ruston, Neil
Sent: Tuesday, October 27, 2009 2:49 AM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] AD migration - trust pros/cons with QMM?
Sensitivity: Confidential
Is your question:
1. What are the trust requirements of QMM? or
2. What are the benefits and requirements of one-way and two-way trusts?
Or both?
neil
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of John Manley
Sent: 26 October 2009 18:29
To: activedir@mail.activedir.org
Subject: [ActiveDir] [OT] AD migration - trust pros/cons with QMM?
Sensitivity: Confidential
Sorry for being off-topic (well at least it's still AD related), but I've been unsuccessful in searching for the benefits of a two-way trust vs. a one-way trust (target retains access to resources in source) vs. no trusts. Is anyone familiar enough with the Quest Migration tools to offer some insight? I've always had two-way trusts in previous migrations, so this is the first time this has come up.
Thanks!
John
==============================================================================
Please access the attached hyperlink for an important electronic communications disclaimer:
http://www.credit-suisse.com/legal/en/disclaimer_email_ib.html
==============================================================================
| | | |
|
|