AD cross forest trust logon workstations
Joe's got the right answer (and should have posted it as an answer.)
You'll need at least a one-way trust, with domain B trusting domain A. That way, domain A users can login to domain B workstations (requirement 1).
A trust will not, in any way, affect how domain B users continue to login to domain B workstations, so you don't have to do anything for requirement 2.
You should read up on this, and also start talking with the IT department of the company that has bought your business unit to determine immediate and longer-term business requirements. To forestall some potential confusion here's some important related info.
- You can't add your domain to their forest.
- A two-way trust is required for domain B users login to domain A workstations, not a stated requirement but a likely next question.
- You can migrate workstations, servers, and users (and other things, like Exchange, Sharepoint, etc) from your domain into their forest, using ADMT or a 3rd party tool.
Edit - Joe also makes a good point about what to expect re: GPO behavior. Really, as I said above, you should do some serious research on this. There's all kinds of implications, technical and organizational, especially if you're in a business that falls under any kind of privacy regulations - PCI, HIPAA, SOX, many many others.
Related videos on Youtube
morleyc
Updated on September 18, 2022Comments
-
morleyc almost 2 years
Our business unit has been bought out by an external entity.
We are running 2008 R2 AD, they are running 2012 AD, the domains are not joined or trusted.
They have servers including domain controllers in their head office data centre (domain A).
We have a domain controller here (domain B). We are now considered overseas from the HQ (domain A).
Both sites are linked via a VPN and all servers can contact one another, in fact they built a DC to run in our office that is in our network (but doesn't currently talk to domain B's DC, it syncs to it's primary domain A DC over the VPN).
Question - What would we need to do (on workstations and servers) to:
Allow users from domain A HQ to log in to workstations at their new overseas office (domain B joined workstations) with their normal domain A credentials
Still allow the existing domain B users to log in and use their workstations as usual (existing domain B active directory accounts can use domain B workstations as before)?
If using a trust does this need to be single direction or bidirectional? Is it just a case of adding a trust and that's it or does anything need to be configured on workstations or group policy?
-
MDMarra over 9 yearsWhat is your question? You appear to have forgotten to ask one.
-
joeqwerty over 9 yearsYou'll need a Trust - technet.microsoft.com/en-us/library/cc770299.aspx
-
morleyc over 9 yearsThanks - does this need to be single direction or bidirectional? Is it just a case of adding a trust and that's it or does anything need to be configured on workstations or group policy?
-
joeqwerty over 9 yearsAt this point I'd suggest reading up on it at the provided link and coming back with specific implementation questions. Providing an answer for your comment would be doing your work for you. Also, we can't tell you what type of Trust you need that will suit the operational needs and the security paradigm of your organization. Only you can answer that.
-
HopelessN00b over 9 yearsWill probably need more than a trust, though. They should also have to set up group(s) so the workstations allow users from the other forest to login.
-
MDMarra over 9 years@HopelessN00b this works by default unless you've enabled selective authentication on the trust, or are using GPO to deny logon locally to users in the trusted domain.
-
joeqwerty over 9 yearsSomething to note about Group Policy processing for user objects in a cross forest trust; by default (IIRC) Group Policy settings for the user account/object from the users home forest will not be applied when logging on to a computer in the other forest. Group Policy user settings in the GPO linked to the computer object will be applied in
Loopback Policy Processing:Replace
mode. If you need for user object Group Policies to be applied from the users home forest you can control that with a Group Policy setting: Allow Cross-Forest User Policy and Roaming User Profiles. -
Samuel Harmer over 8 yearsAllow Cross-Forest User Policy and Roaming User Profiles can be found in Group Policy Management under Computer configuration → Policies → Administrative Templates → System → Group Policy.