AD One-Way Trust between Child and Parent Domains

active-directory windows-server-2008-r2

Using an existing AD domain (company.net), we need to add a child domain (untrusted.company.net) with a one-way trust. Testing in my lab, and the google searching that I have done seem to suggest that this is impossible to achieve as there is a default unchangeable two-way trust established when a child domain is created.

Does anyone know of a way to achieve this goal?

I know I could create a separate forest, but that has been nixed by my boss. The management at my company (boo... hiss..) requires this to be an actual child domain.

Details: Existing domain and forest are 2008 functional level on 2008 r2 SP1 boxes. Child domain will be on 2008 R2 SP1, and will start at a 2008 functional level.


Solution 1:

A cross forest trust relationship is by definition impossible when the domains aren't in different forests.

You'll need to have a nice chat with the manager making that call and explain that those two requirements conflict, unfortunately.

Solution 2:

Child domain have a built-in two way transitive trust. You cannot modify this behavior. If you need a security boundary, then you need separate forests.

Separate domains create management boundaries. Separate forests create security boundaries.

Related

Is there a Unix-type command to kill all processes with a certain name?
How do I connect 100BASE-T (iDRAC6) hosts into a Nexus 2232PP via SFP+?
Reboot fails on RHEL 6.1 after kernel update on Amazon EC2
Authentication with specific subdomains
How does the Task Scheduler save passwords on Windows 7?
IPv6: Can one use more than 64 bits for the network ID
FreeBSD 9 - default file system?
Physical to Virtual on same hardware?
Loopback interface on Linux catches all loopback traffic
Huge amounts of "multiply-claimed blocks" during fsck
ec2: assign cname to elastic ip
How do I prevent remote acces to MySQL?