The Microsoft terminology is confusing, certainly.
Technically, the trust needs to be established in both domains, but you are correct, you want to have a one-way outgoing trust in "Main" and then use "Branch" groups to provide access to the limited resources needed by "Branch" users.
(After the trust is created, you would see a one-way incoming trust in the Branch domain, from Main.)
Quite confusing, yes. I have this currently set up in our testlab, and interestingly, when I open up a domain-local group in "Main", I can only add groups from "Branch" in the Member-Of tab.
I expected that I would be able to add foreign groups under "Members", but the Branch-Domain does not even show up as an option to expand somehow.
2 Comments
bhazlewood@reddit
HyperPixel5@reddit (OP)