Integrating the infrastructure domain with the workload domain
Integrating the IBM Cloud® for VMware Solutions infrastructure domain with the IBM Cloud for VMware Solutions workload domain is not recommended. You must allow the workload domain controllers that are connected to the underlay network to communicate with the infrastructure domain controllers that are connected to the underlay network. For more information, see the following documents:
- Description of support boundaries for Active Directory over NAT
- Steps to avoid registering unwanted NICs in DNS on a multihomed domain controller
However, if you need information about this integration, review the following models:
- IBM Cloud for VMware Solutions forest with parent-child trust.
- IBM Cloud for VMware Solutions forest with tree-root trust.
- Two-way forest trust.
- External trust.
IBM Cloud for VMware Solutions forest with parent-child trust
This model creates a single forest by using the existing IBM Cloud for VMware Solutions infrastructure domain as the parent and configuring a new IBM Cloud for VMware Solutions workload child domain. As all parent-child domains use transitive two-way trusts by default, vSphere SSO can access all users from either domain. The following diagram shows the Active Directory Domain Services topology for this IBM Cloud for VMware Solutions forest with parent-child trust model:
IBM Cloud for VMware Solutions forest with tree-root trust
This model creates a single forest by using the existing IBM Cloud for VMware Solutions infrastructure domain as the parent and configuring a new IBM Cloud for VMware Solutions workload parent domain. The tree-root trust is a two-way transitive trust between the two parent domains. The vSphere SSO connected to the IBM Cloud for VMware Solutions infrastructure domain can access the users from the other parent domain.
If the other parent domain has a child domain, due to the two-way trust, those users are also accessible. The following diagram shows the Active Directory Domain Services topology for this IBM Cloud for VMware Solutions forest with tree-root trust model:
Two-way forest trust
VMware always recommends two-way trusts for forest trusts. For more information, see Microsoft Active Directory Trusts supported by VMware vCenter Single Sign-On.
Because two-way trusts are used between the IBM Cloud for VMware Solutions infrastructure forest and the IBM Cloud for VMware Solutions workload forest, vSphere SSO can use this trust so users can be authenticated from all parent and child domains in the IBM Cloud for VMware Solutions workload forest. The following diagram shows the Active Directory Domain Services topology for this two-way forest trust model:
External trust
VMware always recommends two-way trusts for external trusts. For more information, see Microsoft Active Directory Trusts supported by VMware vCenter Single Sign-On. An external trust establishes a trust to a specific domain within a separate forest that is not joined through a forest trust.
The two-way trust between the IBM Cloud for VMware Solutions infrastructure forest and the IBM Cloud for VMware Solutions workload domain allows vSphere SSO to use the trust so users can be authenticated from the IBM Cloud for VMware Solutions workload domain. The following diagram shows the Active Directory Domain Services topology for this external trust model:
