FWIW, White papers of relevance if you haven't seen them already. The first one will probably answer your questions. What's the underlying motivation for two forests?? Reading between the lines, it sounds like the trust issue may not be the real issue compared to some other service autonomy or data isolation political issue.
Windows 2000/2003: Multiple Forests Considerations White Paper http://www.microsoft.com/downloads/details.aspx?FamilyID=b717bfcd-6c1c-4 af6-8b2c-b604e60067ba&DisplayLang=en Design Considerations for Delegation of Administration in Active Directory http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologie s/activedirectory/plan/addeladm.mspx Best Practices for Delegating Active Directory Administration http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technolog ies/directory/activedirectory/actdid1.mspx -Stuart Fuller -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A Sent: Thursday, January 06, 2005 1:32 PM To: [email protected] Subject: [ActiveDir] Forest trusts vs trusts within forests Happy New Year ! I'm having a design discussion with myself about adding a forest vs adding a domain to an existing forest. I understand about the automatic transitive trust between domains in a forest, and how it's possible for a clever domain admin in a subdomain to compromise the entire forest. What I'm shaky on is this: If you had two single-domain forests, and established trusts in both directions between them, do you have the same issues ? I would think not, because the configuration and schema NCs are not shared between them, but I'm looking for some confirmation on that. Also, since we're talking about two single-domain forests, I'm guessing that the 'forest trusts' available in W2K3 FFL don't really come into play here, correct ? In other words, getting the first domain to W2K3 FFL doesn't buy anything with respect to this trust ? Thanks, Dave List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
