No announcement yet.

Limiting access to a sub domain from parent domain...

  • Filter
  • Time
  • Show
Clear All
new posts

  • Limiting access to a sub domain from parent domain...

    I work for CompanyA. Our current AD structure is setup like this:

    Both of these are forest roots - and we have trusts setup between these domains so that users in each building can access resources in each domain.

    Because of the way this is setup - some of our users have individual logins on both of the domains - and when we make changes to group policies or anything else - we have to do this on mulitple DC's. And when "things" don't go according to plan, someone inevitably asks "Why don't we just have 1 set of logins??"

    I am pretty sure I can combine building1 and building2 into and use different Sites for each building and this will help with the single point of login. (There is a lot that will go into this, but for the purpose of this post - assume I can get there)

    In the near future, I have to implement a new domain for a segment of our network. This segment of our network contains some sensitive material and must adhere to certain standards and regulations - and because of this - the only way users from our Corporate network ( can access this segmented area is through a dual-factor vpn connection.

    Already in place, this segmented area of our network consists of a total of approximately 700 windows xp machines - in multiple locations - with each location being a workgroup. There is no inter-location communication - so each workgroup can only talk to our corporate headquarters - they cannot talk to each other.

    Our plan, is to put our new domain controller, "on the other side" of this dual factor vpn so that it can "talk" to our machines on the trusted side of the network.

    There are about 30 users at our corporate headquarters that require various levels of access to this segmented network. Rather than create this domain in an entirely separate forest - I would like to set this up as a subdomain - e.g.

    My questions are - with it being a sub domain - two way transitive trusts are setup by default - anyone with a login on the domain could then login to (assuming they provided the proper 2 factor authentication to login to the vpn) - is this correct?

    Is there a way, that I can set the structure up like this, where my secure domain is a sub domain of our corp domain - but restrict all access to the secure domain to only members of a certain OU or security group?

    Hope this makes sense

    Thanks in advance,

  • #2
    Re: Limiting access to a sub domain from parent domain...


    You can't change the default behavior of Trust-relation ship between domain and sub domain. However what you can do to do data isolation is user group permission.
    The concept of data isolation and service isolation is based upon the fact what is level of isolation you want to give. It can be achieved using group permission or creating a separate forest.
    Thanks & Regards

    MCTS 2008, MCTIP, MCSE 2003, MCSA+Messaging E2K3, MCP, E2K7
    Sr. Wintel Eng. (Investment Bank)
    Independent IT Consultant and Architect

    Show your appreciation for my help by giving reputation points