Re: Child Domain Setup Quiestion

The trust created is Bidirection, Implecit, Transitive trust between domains
in the same tree.

There are three levels of Administration in a windows 2003 based
Forest/domain.
1] Enterprise Admin - have admin previlages to all the domains in the forest.
2] Domain Admin - have admin prvilages to a specific domain
3] Administrator - have admin previlage to sepcific system (local admin)

By default the domain admin of the first domain in the forest also assumes
the forest admin previlages.
The domain admin of the child domain have admin previlages to the child
domain only & not to any other domain.

Now two things to remember. The difference between trust reletionship &
resoiurce access permission is like the difference between having a Passport
& having a visa.
The passport is the trust & the visa is the permission.
Thoug you may have a passport (ie trust) but dont have a visa (no access
permission) then you cannot access resource in other domain.





"Kenneth Keeley" wrote:

thank you for getting back to me.

"Vicky" <Vicky@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:5D250641-6B7D-4F2B-958E-3F300DEA9F5F@xxxxxxxxxxxxxxxx
ell all that you have planned seems to be fine.

one thing is that you take care of the DNS setup. Each domain should have
a
AD integrated DNS server.
Also the trust relation is set automatically. You just need to grant
permissions to users/ groups to be able to access resources in other
domains.

What type of trust will be automatically created?

Will the default Domain Administrators for each of the domain be able to
access/administrate all of the domains or only the ones that I want them to
be able to access. If they can access/administrate all domains what is the
best way to stop them.

And one most imp thing is that if this domain tree structure of yours
would
be spanning over multiple IP Networks/Locations, than you need to create
AD
sites & have replication configured .




Thanks for your help.
Kenneth Keeley



.

Relevant Pages

  • Re: AD design question
    ... a single forest with two domains and two single domain forests that are tied with explicit trusts have different security issues. ... You put me on a DC in one of the domains of the single forest and within a short period of time, I will be an enterprise admin. ... where is an explicitly deinfed trust it is only between the two domains. ... > to change the membership of accounts in any other domain unless you ...
    (microsoft.public.windows.server.active_directory)
  • Re: AD design question
    ... The reason behind what Joe said is that in a single forest each domain trusts every other domain both ways. ... where is an explicitly deinfed trust it is only between the two domains. ... rogue admin in an explicitely trusted domain. ... > to change the membership of accounts in any other domain unless you ...
    (microsoft.public.windows.server.active_directory)
  • Re: Handling Sysads resignation/termination
    ... the admin is out-- what is the ... your HR department and your firm's Attorneys ... You can't protect yourself against the actions of one in a trusted position ... the breech of trust has taken place. ...
    (Pen-Test)
  • Re: Running VSTO on Terminal Server
    ... The solution is that although the Configuration tool appears to be working ... I had a net admin make the change to ... Microsoft.Web.Services.dll and again I was unable to establish trust for the ... > I also added a full trust policy at the level of the VS projects directory ...
    (microsoft.public.vsnet.vstools.office)
  • Re: software to control domain administrators
    ... "If I can't trust my admin he/she shouldn't be one" is an archaic school ... enterprise administrators are less and less common in favor of dividing ...
    (Security-Basics)