I have a trust relationship/DOMAIN question :-)

[gman10]

Hello all-

Heres the question:

I have Windows 2000 - 2 domains/ 2 forests topology.. Let me explain, there is one distinct domainA in it's own forest and another domainB in another forest. There will be a one way trust relationship running from domainA to domain B, so essentially domainA will be trusted by domainB.. Now for the big question.. there will be occassions where users (in this case, it's teachers and they reside within domainB) who will randomly need access to folder shares and servers on domainA.. How can this be accomplished when I have a one way trust moving in the opposite direction? Obviously, students are the problem here as they may breach security by traversing from domainB to domainA.. Students currently reside on domainB by design and was purposely designed this way so they have no access to domainA which is a separate domain for administrators, faculty and district employees.. Is there a way -without creating a two way -domain to domain trust relationship to allow teachers from domainB to access domainA, without breaking any security measures amongst domains.. Perhaps, this isn't a Microsoft issue and can be handled via access-lists thru Switches and router?? Can anyone provide a direction for this conundrum??

thanks guys!

g

 

[Lightspeed1]

Hey G!
Are the servers in the same physical site? Reside on different subnets? or connected over a WAN? What type of routing switching equipment do you have in place now? Don't flame me too bad folks but aren't all W2K server trust TWO way Transitive by default?
Regards,
Lightspeed1

 

[gman10]

Hi Lightspeed1

Thanks for replying.. No the highschool is sort of the datacenter (server room) and there will be approx 7 servers there.. 1 server will be the primary domain (FSMO)for the Administrative domain and another separate server will be the primary domain (FSMO) for the Instructional domain which will be in 2 forests.. Now, there are 3 other buildings 2 elementary and one kindergarten.. Each building will have also have a Domain controller for Admin and one for Instructional, where all the "admin domain" domain controllers will see the primary domain controller back at the HighSchool as holds the same for the Instructional DC's all pointing to the primary server back at the High School on the Instructional domain.. Soooo, all the domain controllers are in different building connecting thru T1 lines back at the high school.. All admin dc's should see eachother and resolve instructions from the primary FSMO DC at the high school and the same for the Instructional DC's from all sites back to the HS primary DC (FSMO) at the high school.. If you can help me with my first request above .. man, you'd really be pulling me out of the mud.. don't know if it can be done.. perhaps ??

thanks again
G!

 

[Lightspeed1]

The reason I was asking about equipment and the subnet scheme is that what was coming to mind was to set up a site to site VPN (box to box maybe)This would allow you to control access to the second domain. And maybe Dfs...I want to draw myself a picture before I open my mouth much more to make sure there aren't any huge glaring holes in that theory!! Can you post a generic description of your subnet and AD structure?

Regards,
Lightspeed1

 

[gman10]

Yeah, unfortunately there is no equipment specific enough to implement a VPN, also this could be random teachers that may from time to time need this type of access..

Isn't there some way where even though you have a one way trust ie


(trusted domain) | (trusting domain)
|
ADMIN DOMAIN | Instructional Domain
(admins/IT & office staff (teachers & students reside)

----------------> -----> -----------> ----------------->

-allow certain teachers (from time to time) that will need access to the Admin domain gain access even though the trust is moving from Admin to Instructional? If I make a two way trust, then we risk the chance that students would hack into the Admin domains primary server and file structures -crippling the whole schema.. there has to be dome kind of DNS setting or intersite connection made within Active Directory to allow such a thing no?

thanks - any info would be great..
G

 

[Lightspeed1]

alright i'm digging through my library, give me a little while, some of these damn books are bigger than my car!! my "inner geek" is driving me insane to figure out if this can be done ;}
sweet text illustration of what you need by the way!


Regards,
Lightspeed1

 

[gman10]

Thx Lightspeed,

Please let know what you find..

The issue of security is important but this has to be manageable for the district IT department (which are always the least technical people on the planet, but somehow they acquire the techie jobs!it kills me!) anyway, I was thinking about ( at first)creating a parent -child domain admin at the top and instructional as the children domains but the issue of SECURITY came up.. If students are in the same domain as the ADMIN then you never know if the network will be up for grabs by the hacker-students..

sheesh! nothings easy..

g

 

[Lightspeed1]

Hey G!
I have been reading and I have to admit I don't see a way to make this happen on a random basis (random teachers needing access)However, most of my customers are considerably smaller so this may be out of my league. I have passed it along to one of the forum experts (stevehewitt) and asked him to take a look if he gets the chance, just don't want to waste your time doing the same things you have probably done yourself - reading and googling!
There are a TON of very knowledgable people here, perhaps one of you higher level guys has some insight and hands on experience on this? I will continue to flag the posts and offer any help my newbie skill set can.

Regards,
Lightspeed1
AKA Mike