Can a sync relationship be established without a trust?

I have a situation where a customer wants to divest and migrate from an old AD Domain to a new Domain in a new Forest.  However the source company is being uncooperative and not allowing any trusts.  I DO have some Admin access into SOURCE domain and delegated control over the OU I want to migrate.  I also have Enterprise Admin permissions on DESTINATION domain.

The Requirements and Installation Guide advises a trust is required for offline domain join, and mentions 'In Order To Receive the Maximum Benefit A Trust Should Be In Place'.   What are the limitations of configuration without a trust?  Can that be accomplished?  I have configured the Binary tree and prerequisites as I can.  However, a sync-only update never completes.  Can you advise  what, if any, sync capabilities can be achieved without a trust?  Thank you very much.  

  • Migrating Active Directory (AD) objects from one domain to another without establishing a trust can be challenging and may have limitations. While it's technically possible to migrate objects using offline methods, it's generally recommended to establish a trust for seamless and efficient migration.

    Limitations of Migration without a Trust

    1. Limited Migration Scope: Without a trust, you can only migrate user objects and their associated attributes. You cannot migrate other objects like groups, computers, or domain-specific policy objects (GPOs).

    2. Offline Migration Complexity: Offline migration requires exporting objects from the source domain, modifying them to reflect the new domain structure, and importing them into the destination domain. This process can be error-prone and time-consuming.

    3. No Real-Time Synchronization: Without a trust, there's no real-time synchronization between the source and destination domains. This means that changes made in the source domain won't automatically reflect in the destination domain, requiring manual updates.

    4. Limited Security Options: Without a trust, you cannot leverage group-based access control (GBAC) permissions between the domains. This can limit your ability to manage user access effectively.

    Alternative Approaches

    1. Establish a One-Way Trust: If the source company is unwilling to establish a two-way trust, you can request a one-way trust from the source domain to the destination domain. This will allow you to migrate objects from the source domain to the destination domain but not vice versa.

    2. Consider Staging Domain: If establishing a trust is not feasible, consider setting up a staging domain. This involves creating a temporary domain where you can migrate objects from the source domain, modify them as needed, and then migrate them from the staging domain to the destination domain.

    3. Third-Party Migration Tools: There are third-party migration tools that can assist in migrating AD objects without a trust. These tools can automate some of the manual tasks involved in offline migration and provide additional features, such koows as conflict echat resolution and data validation.


    Establishing a trust between the source and destination domains is the most efficient and secure approach for migrating AD objects. If a trust is not possible, consider alternative methods like a one-way trust or a staging domain. Third-party migration tools can also provide support for offline migration.

  • Without a trust, you might have to resort to more manual methods of migration. This could involve exporting user, group, and computer information from the source domain and then importing it into the destination domain. Tools like ldifde or csvde can be used for exporting and importing directory objects in AD environments.