RE: AD Child Domains

["Rhett Grant" <rgrant () nextsequence com>]

> -----Original Message-----
> From: listbounce () securityfocus com
> [mailto:listbounce () securityfocus com] On Behalf Of Raoul Armfield
> Sent: Wednesday, April 23, 2008 2:43 PM
> To: security-basics () securityfocus com
> Subject: AD Child Domains
>
> We are in the process of making a modification to our AD structure.
> For
> PCI compliance we need to segregate a portion of our users to a
> separate
> domain.  This set of users do not need/want (and are very vocal about
> it) to follow the stricter password policy that PCI mandates.
>
> I understand that when you create a child domain it by default creates
> a
> two-way transitive trust between the two domains.  Is it possible to
> limit this trust relationship to a one-way trust relationship?  If this
> is possible it seems to me that it may be preferable to creating a new
> forest just for a couple of hundred users.
>
> Of course it is entirely possible that I am not thinking this through
> completely and am missing some important factors to consider.  Your
> thoughts would be greatly appreciated.
>
> Raoul

There is no way (that I know of) to selectively configure the transitive
trust established between a parent/child domain.  I am not fully
understanding what you are trying to accomplish other than using a separate
password policy which a child domain will allow.  Only use a separate forest
to meet a security need.  And again I would be evaluating if it could be
done with a DACL.  It becomes much more complicated and time consuming to
manage two forests then to manage a parent/child Domain.