Re: Cross Domain privialges for Domain Admins

Giganews Newsgroups
Subject: Re: Cross Domain privialges for Domain Admins
Posted by:  Paul Bergson [MVP-DS] (pbbergs@no_spammsn.com)
Date: Thu, 11 Jun 2009

By default all domains within a forest have a hierarchical and transitive
trust with one another.  So it doesn't matter where the clients and users
reside.  So my guess is who helped design this layout is still thinking in
terms of NT4.  If you are doing this for security reasons then this isn't
correct, the security boundary is the forest not the domain, because of this
I would strongly suggest that you reconsider and create a a single domain
within your forest.

The forest structure you describe will require a minimum of 6 domain
controllers, to be properly protected in the event of any problems, if it
were a single domain it would then be only 2.

Ulf B Simon-Weidner has a short explanation on security boundaries that you
might want to read over:
http://msmvps.com/blogs/ulfbsimonweidner/archive/2007/08/25/security-boundary-forest-vs-domain.aspx

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"blankmonkey" <blankmonk…@discussions.microsoft.com> wrote in message
news:5E50FE94-78F8-4EC6-A84A-A23F16BD7D…@microsoft.com...
> 2008 native Domain setup (no 2003 or older)
>
>                            /----Domain-Child1 (Users)
> Domain-Parent---
>                            \----Domain-Child2 (Servers,applications,
> services)
>
> I have complete control over all the domains.
> It has been decided via Policy that all users will reside in Domain-Child1
> What trusts need to be set up, groups setup, members added, etc.  so that
> I
> can use 1 user account, and be a Domain Admin in BOTH Domain-Child1 and
> Domain-Child2?
>
> Remember, POLICY says user MUST reside in Domain-Child1, and I may not be
> and enterprise admin.

Replies

None

In response to

Cross Domain privialges for Domain Admins posted by blankmonkey on Wed, 10 Jun 2009