/
Active Directory Domains and Trusts

Active Directory Domains and Trusts

Overview

The Domains and Trusts of Active Directory define the interaction between one or more Active Directory or equivalent environments. Each domain is an instance of Active Directory within a forest. A forest is a collection of domains with an implicit trust between each domain. A trust is a link between two domains that allows authentication performed in the outgoing domain to be accepted by resources in the incoming domain. A trust is referred to as a one-way trust when there is a single outgoing domain and single incoming domain in the relationship. A two-way trust is a pair of one-way trusts between two domains that permit authentication in either domain to access resources in the other domain.

Policy

The Austin Active Directory does not permit two-way trusts. A one-way, incoming trust from an external domain to the Austin Active Directory may be requested by filing a Security Exception Request with the Information Security Office (ISO). A request for a one-way, incoming trust must include the expected duration for the trust and cannot exceed one year. Approved requests must be forwarded to the Active Directory team to schedule the implementation call.

Requirements

The following requirements must be met to create a trust with the Austin Active Directory:

  • The external domain for an incoming trust must be resolvable via the campus DNS resolvers. This ensures that resources in the external domain can be accessed by devices joined to the Austin Active Directory.

    • Please contact UTNIC for assistance with creating any required DNS domain/zone delegations or conditional forwarders.

  • An EID must be designated as the trust builder. This EID will be added to the Incoming Forest Trust Builders group in the Austin Active Directory during the implementation call with the Active Directory team

    • The EID must be a person EID with the current employee affiliation. The EID cannot be a guest EID or service EID.

Process

The following steps are required to request a trust with the Austin Active Directory:

  1. Review the Policy section above.

  2. Ensure the external domain meets the Requirements section above.

  3. Contact the Active Directory team to review the initial request.

    • This allows the team to help the department address any concerns prior to contacting the ISO.

  4. File and complete the Security Exception Request with the ISO.

  5. Forward the approved request to the Active Directory team.

  6. Coordinate the implementation call with the Active Directory team.

Confluence Documentation | Web Privacy Policy | Web Accessibility