Implementing a Forest Trust to Production Directory CAMPUS.gla.ac.uk

One way non-transitive trusts into the campus.gla.ac.uk production Active Directory Forest are permitted to allow leverage of central domain based resources.  To implement a trust please contact Peter Mitchell in IT Services in the first instance to discuss your requirement.

Peter.Mitchell@glasgow.ac.uk , x4854.

IT Services only support one-way non-transitive trusts ( i.e. you trust us ) and we reserve the right to remove these in the event we believe the trust to be the source of issues with core service provision.

We make no commitment to maintaining the current domain functional level or schema and reserve the right to change these as we see fit although we would as a matter of normal system maintenance discuss any major changes with all stakeholders.  While we do envisage discussing any proposed changes with all service partners before making any change that may affect service the agreement to trust an external domain places no restrictions or pre-requisites of any kind on the ongoing configuration or support of the CAMPUS Active Directory.

Specifics – what we need

This sections assumes you already have delegated DNS control for the proposed trusting (service, college or school ) domain. 

IT Services will need the following information about your domain.

1) Your registered domain name ( in the .gla.ac.uk space ).
2) IP's of the DC's from the proposed trusting domain controllers, you must then commit to the DC’s remaining on these addresses thereafter.
3) OS version of DC’s and Domain Functional level from the proposed trusting domain controllers.
4) Local Firewalls configured to permit all comms ( udp and tcp ) to the Campus DC’s :-

(a) lancaster.campus.gla.ac.uk
(b) spitfire.campus.gla.ac.uk
(c) wellington.campus.gla.ac.uk
(d) hurricane.campus.gla.ac.uk

5) A Domain Admin ( Forest Admin ) account which will persist in the domain to allow us to config the trust and debug any issues.  This admin account should have RDP access to DC’s to allow debug of trust issues from our side.  Should this RDP access be to a non-standard port we need to agree it prior to config and an open it in local firewalls.  We will typically try to alert the representative from the trusting domain that we need to use this facility before using it, but in the event of a serious problem we reserve the rights to do so even if we can’t contact the rep from the trusting domain.  ( Please note the account needs to stay open event after the trust is configured ).
6) A nominated contact for the ongoing maintenance of the trust and notification of any changes.

Pete Mitchell, Monday, 14 February 2011 - Peter.Mitchell@glasgow.ac.uk , x4854.