AD One-Way Trust between Child and Parent Domains

Using an existing AD domain (company.net), we need to add a child domain (untrusted.company.net) with a one-way trust. Testing in my lab, and the google searching that I have done seem to suggest that this is impossible to achieve as there is a default unchangeable two-way trust established when a child domain is created.

Does anyone know of a way to achieve this goal?

I know I could create a separate forest, but that has been nixed by my boss. The management at my company (boo... hiss..) requires this to be an actual child domain.

Details: Existing domain and forest are 2008 functional level on 2008 r2 SP1 boxes. Child domain will be on 2008 R2 SP1, and will start at a 2008 functional level.


Solution 1:

A cross forest trust relationship is by definition impossible when the domains aren't in different forests.

You'll need to have a nice chat with the manager making that call and explain that those two requirements conflict, unfortunately.

Solution 2:

Child domain have a built-in two way transitive trust. You cannot modify this behavior. If you need a security boundary, then you need separate forests.

Separate domains create management boundaries. Separate forests create security boundaries.