AD Forests two way trust - Disaster Recovery

Question

AD Forests two way trust - Disaster Recovery

Marcus Wong Theen Nam 1,146

I have 2 AD forest, A and B. Configured two way trust. In forest B there is 2 AD site which is site A and B.

Site A holding the fsmo roles. I'm going to bring down site A for a DR drill test without moving the FSMO to site B.

In this case, will the trust relationship still maintain without any issue?

Accepted answer

1 additional answer

Your answer

Answer 1

Limitless Technology 39,931

Hi @Marcus Wong Theen Nam

Yes the trust relationship will be maintained without any issue.

Trust relationships enable access to resources can be either one-way or two-way. A one-way trust is a unidirectional authentication path created between two domains. In a one-way trust between Domain A and Domain B, users in Domain A can access resources in Domain B.

Some one-way trusts can be either non-transitive or transitive depending on the type of trust being created.

Here is a link as well to understand https://learn.microsoft.com/en-us/azure/active-directory-domain-services/concepts-forest-trust

-----
--If the reply is helpful, please Upvote and Accept it as an answer--

Marcus Wong Theen Nam 1,146 Reputation points

2021-11-29T02:57:03.57+00:00

Even if PDC down?

Answer 2

Gary Reynolds 9,621

Hi @Marcus Wong Theen Nam

This isn't a simple yes or no answer, as there are many factors that could impact resource access across the trust. i.e.

Are there domain controllers for forest A in site B
Are there any dependencies in site A
Do workstations and servers in site B have their client DNS setting include DCs in Site A and Site B

By not moving the FSMO roles and depending on how long Site A is offline, you could face problems with object creation, users will experience a longer timeout for incorrect password.

Gary.

Marcus Wong Theen Nam 1,146 Reputation points

2021-11-29T02:56:40.937+00:00

Yes there are domain controllers in Site B, no dependency I believe as what I'm aware is only the trust relationship. Clients will point to site B DNS records during the DR drill test.
Gary Reynolds 9,621 Reputation points

2021-11-29T03:28:26.87+00:00

Hi,

I think you will need to run your DR and see what works and breaks. May split the DR into two part or phases. First phase, break the link and make sure basic services still function, I.e. Logon, access resources in local and external domain, this phases is completed by I.T. without any end user involvement, maybe out of hours. Then once are confident that the basics are working, then do phase two, break the link again and get the users to do the their DR testing of applications and resource access.

I hope that helps.

Gary
Marcus Wong Theen Nam 1,146 Reputation points

2021-11-29T03:30:31.33+00:00

We have the planning to do it by phases but one thing that I'm concerning is the trust relationship between forest A and forest B will be disconnected. Thus, I have to re-add the trust and validate it again.
Gary Reynolds 9,621 Reputation points

2021-11-29T04:06:49.37+00:00

As long as you have a dc from both forest a and b in site B, and name resolution works between these DCs you should good. There shouldn't be a need to create the trust.

Gary.
Gary Reynolds 9,621 Reputation points

2021-11-29T10:40:39.387+00:00

Thanks, I appreciate the acknowledgement :(
Marcus Wong Theen Nam 1,146 Reputation points

2021-11-29T10:53:11.32+00:00

I was sorry that I can't mark two answer as best answer :( I will mark both of your answer as best if I could. Btw, your replies are very helpful though.

Share via

AD Forests two way trust - Disaster Recovery

1 additional answer

Your answer