Hello all, This maybe a noob question. Or a subject that has been talked about a million times. But its been a few years, and AD has changed and i believe has different options now. First let me tell you about the environment we currently have. Our Corp.com domain has both 2003 and 2008 DC's at 2003 domain functional level. This corp.com domain owns all the accounts for all users. It connects over its own network. A Separately new network runs our operations and contains a new AD domain of operations.com. The reason for two different domains is for regulatory reasons. Now we are lucky in that two of our sites, has corp.com DC's and has physical network present of both networks (corp and operations). Currently the two networks do not touch. We are thinking about a NAT connection at the two sites right now. We are waiting to see what solution we can come up with for this. Now here is the problem or main question at hand. For the life of the project, both domains were going to be autonomous. But now we need to be able to pull accounts or authenticate accounts from the corp.com domain into the operations.com domain. So the question is what are the options available to do this? One secondary objective is to see if we "can" stay away from forest trusts. But trusts can be made if needed. Again what are options should we look at? Thanks, Wes

You'll need at least a one-way trust for authentication between forests. If you decide to move objects between the two (using ADMT) you will also need at least a one way trust.Tony www.activedir.org blog:www.open-a-socket.com

That is the only option? Trusts? Would anything like Forefront Identity Manager, Active Directory Federation Services, AD LS, or anything else? Is there a way to pull accounts from one domain into another without a trust? Single Sign On would be needed. Thanks for your quick reply. But i'm looking for all options available.

It depends on your requirement. You could use tools like FIM and Quest One Quick Connect to synchronise objects between domains (without trust). That would create new objects that look like the original objects, but would have a different security context. I believe you can migrate users between domains without using trusts with Quest Migration Manager for AD. From memory, there are some limitations, including the fact that you won't be able to migrate with SIDHistory.Tony www.activedir.org blog:www.open-a-socket.com