Cross Forest Trust and Federated Trust opinion

Coopie 101 Reputation points

Hi community

I am abt to propose a body of work to resolve a situation with an old design here at work.

Our Primary Corporate forest supporting 8000 employees and with about 11 Tree structure domains, has a completely isolated 10 year old forest alongside it for Secure Data purposes. The isolated forest IS within the corporate network perimeter, but outside the Primary Corporate AD Forest.

It's comprised of Just one server currently, shared data on it, 250 or so people connect to it from time to time, from the primary forest using local laptop batch files and map drives. the latter is not a good setup.

I was looking at, bearing cost, complexity, and reward for effort in mind when considering options:

  1. Create a one way cross forest trust, destination trusting source
  2. All the primary AD ports are already open from source to Destination, I just tested them, as is SMB
  3. Add source accounts into destination security groups, same groups as the destination account the users have been authenticating with.
  4. That should result in the Foreign principals being generated
  5. In theory, that's it. That should allow us to get away from the batch file stuff, in that the local user should be able to log onto source domains as per normal, and then when I map drives for them with GPO to the destination forest, in theory no usernames and passwords need chnage hands.

However. I am certain our security team will need to be involved, and they will ask how secure this is. And if they know anything about auth and seperate organizations, they could ask whether a Federated trust between the 2 forests is a better idea.

So...opinions. When it comes to determining the longer term administration, as well as the shorter term solution design, testing, deployment, ongoing complexity..... what scale of difference am I looking at here between option 1 (Corss forest trust and FSP's).....and option 2 (Federated orgs)....

Any thoughts people?


Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,994 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,746 questions
Windows Server Infrastructure
Windows Server Infrastructure
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Infrastructure: A Microsoft solution area focused on providing organizations with a cloud solution that supports their real-world needs and meets evolving regulatory requirements.
518 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Vicky Wang 2,646 Reputation points

    Thank you for posting in our forum.
    You can try the materials in the link to learn about cross-forest trust and joint trust opinions
    Best wishes

    0 comments No comments