I'm interested in understanding your approach to establishing a two-way trust between Active Directories in the following scenario: A larger company A acquires a mid-sized or smaller-sized company B, at what point do you feel comfortable establishing a two-way trust between both Active Directories? The priority is to ensure business continuity without impacting their clients on both ends, while recognizing that integration would be significantly easier with a trust established. What would be your key considerations that you typically review prior to even entering discussions about this capability. My focus is on the prerequisites for trusting a new entity that was previously managed by another IT team within your organization. For example, do you conduct by default a full penetration test, assess the network and external-facing systems, perform policy health checks, evaluate conditional access settings, breach history of Company B and/or their vendors etc. and demand changes to get as close to your standard before proceeding? If yes how close do you get before feeling a little more comfortable before accepting all the risks?

I’ve been involved in 7 acquisitions ranging from 50 person companies to 2500 and in all cases we shutdown the acquired companies infrastructure.  The desktops happened relatively quickly and the core application servers were only kept if we could not load the data onto our systems.  Email was done immediately including exporting and import old mailboxes.  i would never do a two way trust and i would be very hesitant to do even a one way trust unless you were 100% sure their systems were never compromised.  IMHO i would spend 100% of the effort decommissioning  the acquired company’s infrastructure.

First, my apologies for any redundancies as I’m sure some information will be well known to you.
To answer your first question, “what point do you feel comfortable establishing a two-way trust between both Active Directories?” My short answer would be the point in time at which the security in both companies is at a comfortable threshold for the responsible parties involved.

Your key considerations are very much valid and thoughtful. I especially like the conditional access evaluations. Moreso, Entra ID has many benefits and used to be called Azure Active Directory. This is not Active Directory. Active Directory is an on-premises directory service that deals with the management of Windows domain networks, focusing on local network management such as user authentication, policy enforcement, and resource management within an organization. Conversely, Azure Active Directory is a cloud-based identity and access management service designed for web-based services, offering advanced features like single sign-on (SSO), multi-factor authentication (MFA), and seamless integration with various cloud services. Clarifying these is critical for how you get this done with the technology.

Some factors for establishing your AD two-way trust can be organizational readiness, IT team preparedness, initial integration steps, and business requirements.

Some key considerations for establishing two-way trust follow: (This may build upon, lie within, or coincide with your thoughts in the question.)
1. Assessing Current IT Infrastructure and Security Policies
Before initiating discussions on establishing a two-way trust, it is critical to assess the existing IT infrastructures and security policies of both companies. Evaluate the compatibility of their systems, the security measures in place, and any potential vulnerabilities that might pose a risk when the directories are linked.
2. Data Integrity and Compliance
Ensure that both companies comply with data protection regulations and industry standards. Review data handling practices, storage solutions, and compliance with GDPR, HIPAA, or other relevant regulations. This step is essential to protect sensitive information and prevent legal repercussions.
3. Network Configuration and Connectivity
Establishing a trust requires stable and secure network connectivity between the two entities. Review the network configurations, firewall settings, and VPN tunnels to ensure that they can support a reliable and secure connection. Address any potential bottlenecks or points of failure in the network infrastructure.
4. Identifying Business and Technical Stakeholders
5. Migration Strategy and Timeline
6. Security and Access Controls
Define the security and access control policies that will govern the two-way trust. Determine the level of access required by users from each company and implement measures to ensure that only authorized personnel can access sensitive resources. Regularly review and update these policies to maintain a high level of security.
7. Testing and Validation
Before going live, conduct thorough testing to validate the trust configuration. Test various scenarios to ensure that the integration works seamlessly and that there are no security loopholes. Address any issues identified during the testing phase before moving to full-scale implementation.

Some prerequisites for establishing trust follows:
1. Compatibility of Directory Services
Ensure that both Active Directories are compatible and can support a two-way trust. This includes verifying the versions, configurations, and any schema extensions that may be in place.
2. DNS Configuration
Proper DNS configuration is essential for the trust relationship to function correctly. Verify that the DNS settings in both companies are correctly configured and that name resolution works seamlessly between the two domains.
3. Secure Authentication Mechanisms
Implement secure authentication mechanisms, such as Kerberos or NTLM, to facilitate the trust. Ensure that both environments support these protocols and that they are configured correctly.
4. Administrative Privileges
Grant the necessary administrative privileges to the personnel responsible for establishing the trust. This includes access to domain controllers, DNS servers, and other critical components of the Active Directory infrastructure.
5. Documentation and Training
Prepare detailed documentation outlining the trust establishment process, including configuration steps, security considerations, and troubleshooting guidelines. Provide training to the IT teams of both companies to ensure they are equipped to manage and maintain the trust relationship effectively.

Some good questions may be:
• Have all identified security vulnerabilities been addressed?
• Are IT policies and standards aligned between both companies?
• Has thorough communication and training been conducted?

It has been some time but here is some of my data I rewrote through ChatGPT.

Establishing a two-way trust between Active Directories (ADs) in an acquisition scenario requires a careful approach to ensure both security and business continuity. Here’s a framework that addresses the prerequisites and security considerations that are crucial before trusting the acquired entity's environment.

1. Initial Assessment and Gap Analysis
• Security Posture Evaluation: Begin by evaluating the overall security posture of Company B. This includes assessing their network architecture, segmentation, firewalls, external-facing systems, and infrastructure.
• Policy Health Checks: Evaluate how Company B’s security policies compare to those of Company A. This involves reviewing password policies, account lockout thresholds, privileged access management, and conditional access settings. Ideally, these should align closely with the standards of Company A to reduce the risk of introducing vulnerabilities.
• Vulnerability Management and Patch Status: Conduct a vulnerability scan or review recent vulnerability management reports from Company B to ensure their systems are well-maintained and patched. This is a significant factor in reducing the likelihood of vulnerabilities being exploited during or after trust establishment.
• Third-Party Vendors and Dependencies: Investigate the vendors and third-party dependencies that Company B relies on, particularly those with direct access to their systems, as these can introduce indirect risks. A high-risk third-party could necessitate additional controls before trust is established.

2. Detailed Security Testing
• Penetration Testing: A full penetration test of Company B’s environment, ideally performed by a third-party firm, is highly recommended. This will uncover potential issues with the perimeter security, endpoints, applications, and network that could pose risks once the trust is established.
• Endpoint Security Assessment: Evaluate the security configurations on endpoints such as workstations and servers. This includes antivirus/antimalware solutions, endpoint detection and response (EDR), and other host-based protections.

3. User and Privilege Auditing
• User Inventory and Privilege Levels: Perform an audit of the user accounts and privileges in Company B’s AD. Understand the roles, permissions, and access each user has, especially for those with high-level privileges. This includes ensuring privileged accounts in Company B align with the security protocols in Company A.
• Conditional Access and MFA: Evaluate the conditional access settings and multi-factor authentication (MFA) policies in Company B’s environment. This is especially crucial for remote access to sensitive systems or data.

4. Network Segmentation and Firewall Configuration
• Isolated Connectivity for Trust: Ensure that, at least initially, the trust is isolated or restricted by network segmentation and firewall rules. This prevents unrestricted access between both environments, allowing for controlled communication and mitigating potential lateral movement in case of a breach.
• Restrict and Monitor Access: Limit which resources are accessible via the trust and closely monitor activity. This allows business continuity without granting unrestricted access until Company B’s environment meets your security standards.

5. Review of Breach and Incident History
• Historical Breach and Incident Review: Assess any past security incidents or breaches involving Company B, including any third-party vendor issues. If there is a significant history of breaches or poor incident response, you may need to implement additional controls or remediations before trust is established.

6. Cultural and Operational Alignment
• IT Operations and Security Culture: Meet with Company B’s IT and security teams to assess their operational maturity, security culture, and willingness to adopt Company A’s security standards. Trust is easier to establish with a team that is collaborative and has a similar commitment to security.

When to Establish Trust
Generally, it’s advisable to establish trust only after Company B’s environment meets a threshold that aligns with Company A’s security requirements. This doesn’t mean every detail has to match exactly, but key security baselines should be met. Ideally, a phased approach can help — for example, setting up a limited or one-way trust initially, then progressing to a two-way trust as confidence grows.

In summary, the prerequisites to establishing two-way trust should encompass:
1. Alignment with security policies and standards.
2. Thorough vulnerability management and patching.
3. Strict access control and monitoring.
4. Strong endpoint and network security.
5. Clear communication and cultural alignment with Company B's IT and security teams.