Hi Our PDC is were all our project files are. However accounting department has a seperate server and that is restricted to people in accounts and management only by making it has a seperate domain. However when we installed MAcfee end point protection server, macfee anitvirus updation server doesnot update to multiple domain. Hence they advise me to make it as a child domain Now my question is , if i make the account server a child domain, how can i restrict PDC administrator or users to not access the Child domain All help is much appreicated

HI by setting the trust relationship between your two domain. Does your accounting administrator got the administrator right in the other domain ? if yes just setup a one-way incoming trust between your to domain all account will from account will be trust in the other domain but no account will be trusted from your other domain trying to access the accounting domain. if not you will have to create a top domain and restrict the people to the administrator role in this domain , and put your two other domain as a child of this domain. Stef71

Sorry for my less igorance on the above topic. How can i make sure that the administrator of the child domain doesnt get administrator rights of the top domain. Currently i had a PDC and ADC server which is already setup . Our anitvirus is set on ADC. My antivirus Vendor say that i will have a establish a trust from my adc to my accounts department server only then updates from my antivirus server will update the antivirus on the account department servers and users Also can you guide me to a link which will allow a one way trust All help is appreicated

in fact, forest is a security boundary. There is no way how to prevent sub-domain admins from hacking into the root domains or other domains from the same forest because there is no SID filtering inside forest. If you want to have a complete separation, you need to impelement separate forests. ondrej.

in fact, forest is a security boundary. There is no way how to prevent sub-domain admins from hacking into the root domains or other domains from the same forest because there is no SID filtering inside forest. If you want to have a complete separation, you need to impelement separate forests. ondrej.