Relationship Trust External NON Transitive Active Directory

  • 102 Views
  • Last Post 17 August 2017
daniel.oprea posted this 17 August 2017

Hello Experts,
I need your help!I have 2 forest DomainA.lab and DomainB.lab with a relationship trust external non transitive active directory.I recently added a new domain (a child) in the DomainA.lab forest, with the FQDN Child.DomainA.lab, but I have a big problem:Since the DomainB.lab did not arrive, I do not see the Child.DomainA.lab.I have read the article https://technet.microsoft.com/en-us/library/cc754612(v=ws.11).aspx where it explains why I can not see the Child.DomainA.lab from the DomainB .lab.
I leave you all the data of the relationship that I have between these 3 domains:Imágenes integradas 1

show

Order By: Standard | Newest | Votes
ZJORZ posted this 17 August 2017

The impact occurs when you delete the the current external trust. After that sids from the other domain in group or permissions will not resolve to pretty names, but those will not disappearAfter the creating the forest trust, all sids will resolve back to pretty names
Deleting  trust relation does not mean you will delete permission or memberships for foreign security principals
To see it yourself test in a test environment first




Met vriendelijke groet / Kind regards,
Jorge de Almeida Pinto
MVP Enterprise Mobility and Security (EMS)
E-Mail: jorge@xxxxxxxxxxxxxxxx
Tel.: +31-(0)6-26.26.62.80
(+++Sent from my mobile device +++)
(Apologies for any typos)

show

daniel.oprea posted this 17 August 2017

Hello Jorge,
If you were thinking about it, create a two-way relationship forest trust. But I have the doubts I have described before:
What implications does it have?Between DomainA.lab and DomainB.lab I have cross-permissions of users and servers ...If I delete the existing relationship, and re-create another relationship will lose the permissions of users, services and servers that I have crossed?
Reciba Atentamente
Un Saludo Cordial
DANIEL OPREA
http://www.danieloprea.blogspot.com/



2017-08-17 23:07 GMT+02:00 Jorge de Almeida Pinto <jorge@xxxxxxxxxxxxxxxx>:
















Why don't you use a FOREST trust?
Delete the external trust and recreate it as a forest trust
By using a forest trust you will also be able to use kerberos. With that mind also look at your upn routing configuration if needed




Met vriendelijke groet / Kind regards,
Jorge de Almeida Pinto
MVP Enterprise Mobility and Security (EMS)
E-Mail: jorge@xxxxxxxxxxxxxxxx
Tel.: +31-(0)6-26.26.62.80
(+++Sent from my mobile device +++)
(Apologies for any typos)

show

ZJORZ posted this 17 August 2017

Why don't you use a FOREST trust?
Delete the external trust and recreate it as a forest trust
By using a forest trust you will also be able to use kerberos. With that mind also look at your upn routing configuration if needed




Met vriendelijke groet / Kind regards,
Jorge de Almeida Pinto
MVP Enterprise Mobility and Security (EMS)
E-Mail: jorge@xxxxxxxxxxxxxxxx
Tel.: +31-(0)6-26.26.62.80
(+++Sent from my mobile device +++)
(Apologies for any typos)

show

Close