Administering other domains

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Administering other domains

In an organization with more than one domain, it is often necessary to administer a domain other than the one to which you are currently logged on. For example, when creating trusts, the trust must be created in both the trusting and the trusted domain. You can do this through:

  • Cooperation with those who have administrative credentials in another domain

  • Logging on with a user account with the necessary permissions

  • Using Run as to start an administrative tool targeted on the particular domain (recommended)

A secure method of controlling administrative access to a particular domain is to tightly control the number of accounts that are added to the Domain Admins group for that domain and the number of people aware of those accounts. Only members of the Domain Admins group (or Enterprise Admins group) can make broad administrative changes to the domain.

For example, if a domain administrator in one domain wanted to establish a shortcut trust with another domain, the domain administrator could establish the trust relationship in that domain by communicating with the domain administrator of the other domain, agreeing on a common strong password for the trust, and having the administrator of the other domain create the trust in that domain.

A more convenient, but less secure method of administering more than one domain is to logon interactively with a user account that has administrative credentials in both domains. For example, user accounts that are members of the Enterprise Admins security group have permission to administer every domain in the forest. Logging on to a computer with a user account that has broad administrative access is not recommended. For more information, see Why you should not run your computer as an administrator.

Run as, when used with the appropriate user name and password, can be used to securely administer domains in any forest in your organization. For more information, see Using Run as.

Notes

  • It is a security best practice to never log on with an account that has more rights and permissions than you need for the task you are currently performing.

  • It is also a security best practice to limit the scope of a particular administrator's rights and permissions to include only those tasks that the administrator commonly performs.

  • You cannot administer a Windows Server 2003 domain or forest using the Windows 2000 Administrative Tools Pack. For more information, see Windows Server 2003 Administration Tools Pack Overview.