Figueroa, Johnny wrote:
We are a 2003 Forest with an empty root domain and a single child domain. We have a vendor looking to bring in a product that utilizes its own domain and has a one way trust to our domain. I do not know anything about the product yet but I am almost conceptually opposed to these vendor domains. I am looking for pros and cons... really ammunition to say no.
Hmm, I can't imagine product which requires separated domain to work. If they want to deploy it in this way they should have some serious justification, as additional domain incorporates additional administrative tasks for You, hardware etc. As I assume Your vendor would probably like also to have full domain admin rights there? For me, if it is in this way it should be considered as security threat also.
Before going further in discarding this requirement try to talk with them and understand why they want to deploy separated domain - I'm sure that the reason which lies beneath it can be archived in other way by delegation etc.
-- Tomasz Onyszko http://www.w2k.pl/blog/ - (PL) http://blogs.dirteam.com/blogs/tomek/ - (EN) List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
