General discussion


Active Directory/Domains

By altolbert ·

Our organization is in the process of implementing a subdomain of our primary domain. We would like to make it to where users of the primary domain can access all resources of the subdomain. Also we would like to make it to where subdomain users cannot access the primary domain. I really can't figure out any good way to do this since the primary domain will always trust the subdomain by default. Any thoughts or suggestions?

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

Terminology ...

by RagingBull In reply to Active Directory/Domains

OK I am guessing you are running an Active Directory setup (from the title) but to clarify the top level domain is called the root domain and the subdomain is referred to as the child domain.

Can I ask why you want this configuration?

MS used to recommend an empty root domain with all objects in the child domain for additional security but you really don't need it as long as you admin it properly (minimal Domain Admins)

As a tip always look to simplify the logical structure as much as possible - a single domain should be fine for most uses - you can delegate OUs if you need to ...

Collapse -


by altolbert In reply to Terminology ...

We basically want the configuration like this as a security measure. Our security folks would like it done this way for some reason. We want it to act like a "barrier" to prohibit our public users (who would be on the child domain) from accessing our root domain's resources which have our administration and staff users authenticating through it. Basically we want the child domain to authenticate our public users and our root domain users to be able to authenticate through our child domain. The key is that we don't want child domain users accessing the root domain. Sort of like a one-way trust. I hope this sort of clarifies the situation.

Collapse -

by bkinsey In reply to Clarification

Maybe I'm missing something in what you're wanting, but the presence of a trust doesn't grant access in and of itself. . . . If your child domain users have no rights in the root domain, they can't access any of its resources, period. The trust merely allows for the granting of access rights across domain boundaries.

Works the other way, too; users in your root domain will not automatically have access to child domain resources (unless they're Enterprise or Forest Admins, of course), just because the domains trust one another. You'll still have to grant access on a resource by resource basis, or do some kind of group mapping.

Collapse -

Empty Root-Peer Forest

by BFilmFan In reply to Terminology ...

The number one use for a Peer-Root forest design is if you have a non-contiguous DNS name space, as well as, making attacks on the root domain from the peers more difficult.

In addition, if you have different security requirements such as password length and how often it changes, you will be forced to have separate domains.

Since 70% of security incidents are from insiders, this keeps the users of out of, so to speak. :)

Collapse -


by altolbert In reply to Active Directory/Domains

On our root domain we have enabled the "Deny logon locally" option for the user accounts of the child domain. Now when the child domain users attempt a logon of the root domain from a workstation they receive the error message "The local policy of this system does not permit you to log on interactively" Are we on the right track in doing this? Bascically this looks like what we want to have happen. Subdomain users are prohibited from logging on to the root domain. Is there a better way to do this?

Collapse -

Skinning Cats

by RagingBull In reply to Follow-Up


You can only manipulate trusts between forests and not domains - transitive trusts exist within a forest but the admin of having two forests isn't worth the effort - how do your public users log on? Is there a single generic account or do they each have an account?

You're really not going to achieve much with two domains that you can't achieve with proper GPOs and permissions ...

Collapse -


by altolbert In reply to Skinning Cats

I myself think it would be better to have a single domain. However, our network and security folks don't like the idea of public and internal users authenticating through the same DC. So, we have to go this route. Our public users will have their own individual accounts to logon to the child domain. As I have been saying we don't want them to be able to login to the root domain. However, we want the root domain users to be able to login to the subdomain. Basically we want to setup an authentication scheme that would enable us to do this.

Collapse -

by djameson In reply to Answer

what are your public logons accessing? is there another way to control their authentication? your Internal network should be for you. If this is like a sublease/tenant arrangement, I would explicityl seperate them, not just with child domains, different servers differnt forest, you can still authenticate against them you will just have to have a seperate username and password for that box.

Collapse -

by altolbert In reply to

It is all our network. We are the same organization, just a different division of the IT Department. Our network/security folks are the other division. We basically just want users to be able to logon to machines. We won't our public users to just be able to logon to a machine. They do not need to access any resources such as shares--just authentication.

Collapse -


by djameson In reply to

just use an OU structure to isolate them, You would be better off to add another DC to your root domain then to build a seperate domain, use the OU structure and Group Policy to isolate the users, you can use the domain security policy to get most of it done, also, you can use the local security policy on the servers that aren't DC's and explicityly deny access to the groups that you don't want access, if it is a load problem and the other systems are on different subnets which is a pretty good Idea you can use seperate DNS Server and modify the <rootdomain> entry and make sure that the DC you want them to authenticate is resolved every time.

Related Discussions

Related Forums