understanding active directory domains and trusts...

Understanding Active DirectoryDomains and Trusts

Active DirectoryActive Directory is the Microsoft implementation ofdirectory services that allows you to store and search forany object in your domain or in multiple domains. ActiveDirectory Services categorizes everything in a domain asobjects. Objects can include users, computers, printers,servers, file shares, application data, and more. ActiveDirectory objects can be physical or logical objects. Allobjects are stored in a single file in Active Directory thatincludes all objects and schema information called ntds.dit.Every Domain Controller in the domain has an exact copyof the ntds.dit database as well as a special shared foldercalled SYSVOL. The SYSVOL folder inhabits an NTDSpartition and contains information regarding Group PolicyObjects and login information.

DomainsYou can create a domain as a container for all ActiveDirectory objects and isolate them from other parts of your Enterprise networkinfrastructure. A domain is asecurity container, an ActiveDirectory database replicationboundary, and is the basiccontainer fordefining DNSand Internetnamespace. WithWindows NT, youhave to use a domain to define any type of controland administrativecontainer and you have

to create numerous domains for each part of your businessnetwork that have differences in security andadministration. Starting with Windows 2000 Server domainsand continuing with Windows Server 2003, you can createa single domain and still preserve all the security and trustfunctions that required multiple domains using WindowsNT. You can still create multiple domains for securityreasons with Windows Server 2003. Other types ofcontainer objects serve the same purpose as the numerousdomains required under Windows NT.

Domain ControllersA domain controller is a specialized role for a WindowsServer 2003 server. You can promote your server to adomain controller so that it can construct, receive andreplicate a copy of the Active Directory database. Yourdomain controller has information about every object in thedomain, and network users can search it to find people,computers, and resources on the domain at all times. Thedomain controller also constantly updates its database sothat users have the most recent information. Finally, thedomain controller passes along or replicates its most recentdatabase to other domaincontrollers as changes occur. With Windows NT domains, not all domain controllers were equal. In each domain, you had to create a Primary Domain Controller or PDC, whichheld the master copy of the ActiveDirectory database. All other domain controllers were BackupDomain Controllers, or BDCs, and each BDC held a copy of the database.

W ith Windows Server 2003 Active DirectoryDomains and Trusts structure, you can controlthe information flow, access to resources,

security, and the type of relationship among differentdomains, domain trees, and domain forests throughoutyour enterprise network environment. This can ease youradministrative burden of large domains and multi-domaininfrastructures, saving time, effort, and expense. When you

create a trust relationship between two domains, you canmake a link between them that lets authenticationpasswords through either from one domain to another orboth ways between domains. That way, you can be a userin one domain and still authenticate to and access resourceson another domain. You can also create an Active Directoryreplication environment that treats multiple domains as ifthey were one container.

4

05_579223 ch01.qxd 12/16/04 9:07 PM Page 4

COPYRIG

HTED M

ATERIAL

Trees and ForestsYou can create a single domain to make it a completeActive Directory container capable of providing all theresources you need for your business to function with nolimitations. You can also create subdomains called childdomains. The first domain you create is called the root orparent domain. A root or parent domain can have anamespace such as microsoft.com. A child domain sharesthe parent domain namespace contiguously and has aname such as sales.microsoft.com. A parent domain withone or more child domains is called a domain tree. Oneroot domain that has a relationship with another rootdomain is called a domain forest. The two root domainsdo not have a contiguous namespace and sometimes donot share the same Windows Server operating systemActive Directory type. For example, you can make thenamespace of two root domains in a domain forestmicrosoft.com and wiley.com.

Domain Tree TrustsYou can create a trust between one domain and another,which means that users can share resources back and forthbetween two or more domains as if the resources were allpart of one domain container. When you use Windows NTdomain trusts, you can only configure a one-way,

nontransitive trust between two NT domains. This meansyou can only create a trust where one domain is trustedand the other domain is trusting. You have to create aseparate trust relationship in the other direction betweenthe two domains so they can mutually trust each other.

When creating trust, remember that interrelationship doesnot guarantee trust. For example, you can create a trustrelationship between Domain A and Domain B, and anothertrust between Domain B and Domain C; however, Domain Aand Domain C do not automatically trust each other. Youmust create another, separate trust between A and C beforethey trust each other. With the introduction of Windows2000 Server and Windows Server 2003 Active Directory,you can now create two-way transitive trusts automaticallybetween different domains in the same domain tree so thata trust between A and B is automatically two-way. Further,you have a trust where if B and C trust each other, A and Cautomatically trust each other.

Domain Forest TrustsYou can create trust relationships between two unrelateddomain trees, but you cannot automatically create two-way transitive trust relationships. You must createforest trust relationships the same way you create domaintrust relationships with Windows NT. Because this is arelationship between two unrelated domains, you mustcarefully create trust relationships with a greater elementof security. You can own both domains, maintain separatenamespaces, and allow one domain to access resourceson a second domain and limit how the second domainaccesses resources on the first. Users on any domain withtwo-way transitive trusts can access any other domain inthe forest transparently. A transitive trust is one wheretwo or more parent domains and their child domains alltrust each other. The trust at the parent level transversesdown to the child domains based on the parent trust.A transparent trust is one where the user is not aware ofhow the trust relationships transverse numerous domainsand domain trees. From their point of view, they canaccess a child domain in a different tree as if the resourceexisted in their own domain. For more on forest trusts,see the section “Create a Forest Trust.”

Active Directory Domains and Trusts

5

chapter1P

AR

TI

05_579223 ch01.qxd 12/16/04 9:07 PM Page 5

Create a Forest TrustY ou can use Windows Server 2003 Active Directory

to create a forest trust relationship between twoseparate domains. This allows the two domains to

have the same relationship with each other as they do withsubdomains within the same domain tree. You can shareresources between the two root domains and betweensubdomains in each of the separate domain trees. For moreon forest trusts, see the section “Understanding ActiveDirectory Domains and Trust” earlier in this chapter.

You can only create a forest trust relationship between twodomains running Windows Server 2003 Active Directory.

You can create the forest trust only if you raise the forestfunctional level of both domain trees to Windows Server2003 Mode. The Windows Server operating systems youuse on your domain controllers defines the domain tree andforest functional levels or modes and the Active Directoryfeatures you can use. For more on domain and forestfunctional levels, see Chapter 2.

If you want your Windows Server 2003 domain tree to forma trust relationship with a domain using Windows 2000Server domains or Windows NT Server domains, you canonly create an external trust relationship and cannot createa true domain forest.

1

4

5

2

3

Administrative Tools

1 Click Start.

2 Click Administrative Tools.

3 Click Active Directory Domains and Trusts.

Create a Forest Trust

6

The Active Directory Domains and Trustssnap-in appears.

4 Right-click the domain.

5 Click Properties.

05_579223 ch01.qxd 12/16/04 9:07 PM Page 6

The Domain Properties dialog boxappears.

6 Click the Trusts tab.

7 Click New Trust

PA

RT

I

8

7

6

0

9


7

chapter1

The New Trust Wizard appears.

8 Click Next.

The Trust Type page of the Wizardappears.

9 Click the Forest trust option ( changes to ).

0 Click Next.

On the Domain Properties box Trusts tab,how many different trusts can I createthere?

You can create as many trust relationships asyou want to serve the needs of yourdomain. For example, you can createindependent trust relationships from yourdomain to serveral other domains. You canalso create different types of trusts from theTrusts tab in the Domain Properties box.You can also limit the number of trusts youcreate so that you can track which domaintrees trust other domain trees. If you losetrack of the number and type of trusts youcreate, you may find it difficult totroubleshoot trust problems.

When do I select the This domain onlyoption on the Sides of Trust page of theNew Trust Wizard?

When you click this option ( changesto ), it only creates one side of a trustrelationship. You can create only one sideof the trust, but you cannot complete thetrust relationship until you create the otherside of the trust. You use this kind ofrelationship in situations where you are inpartnership with another domain and theother domain does not want to releasedomain administrator credentials. You andthe other domain administrator mustseparately create the sides of the trust andthe trust relationship becomes active.

05_579223 ch01.qxd 12/16/04 9:07 PM Page 7

Create a Forest Trust(Continued)

Y ou can custom make a forest trust to meet thespecific needs of your domain and another,noncontiguous domain. Doing this tightly controls

security access to your domain resources. The trustrelationship between your domain and the other domainis actually an authentication relationship. You authenticateonto your domain from a computer by typing yourusername and password on the logon screen of thecomputer. The nearest domain controller verifies yourcredentials and you are then allowed access.

When you create a trust relationship with another domain,you actually create automatic authentication for your users

from your domain to the other domain and all theresources it contains. Because you create a trust that istransparent, your users never notice that they are accessingresources outside their domain.

You can create trust relationships that are two-way, one-wayincoming, or one-way outgoing. Specific configurationcontrols allow you to control the level of access securityyou want between the two domains. When you create a two-way trust, you must have administrator credentialsfor the other domain to complete trust creation.

For more on authentication relationships and transparenttrusts, see the section “Understanding Active DirectoryDomains and Trusts.”

&

#

%^

@

$

!

••

The Direction of Trust page of the Wizardappears.

! Click the Two-way option ( changesto ).

• You can also select a One-way direction.

Note: For more on creating a one-way trust,see the section “Create a Shortcut Trust.”

@ Click Next.

The Sides of Trust page of the Wizardappears.

# Click the “Both this domain and thespecified domain” option ( changes to ).

$ Click Next.

The User Name and Password pageappears.

% Type the administrator name for the otherdomain.

^ Type the administrative password for theother domain.

& Click Next.

Create a Forest Trust (continued)

8

05_579223 ch01.qxd 12/16/04 9:07 PM Page 8

The Ongoing Trust Authentication Level –Local Forest page of the Wizard appears.

* Click the Forest-wide authentication option( changes to ).

( Click Next.

PA

RT

I

(

q

*

)


9

chapter1

Are all trusts with nonrelated domaintrees such as External and Realm trustsconsidered nontransitive trusts?

No. You can create a forest trust betweentwo domains and you can make your foresttrust transitive, but only if you specify thisas you step through the Create a New Trust Wizard. This means that the childdomains can share the trust relationship aslong as you create the trust that way. Youcan also create an external trust that is nottransitive. Instead, the external trust youcreate is bound between just the twodomains and does not invole any of thechild domains.

Why do I have to create theauthentication level for both the localforest and the specified forest?

If you choose to create both sides of thetrust at the same time and have access tothe administrator username and passwordfor the other domain, you must approveauthentication in both your domain and theother domain as well. This means that youmust get the administrative authenticationinformation for the other domain.Otherwise, you can create only one side ofthe trust and need to have the administratorin the other domain provide authenticationfor the two-way trust to be implemented.

The Ongoing Trust Authentication Level –Specified Forest page of the Wizard appears.

) Click the Forest-wide authentication option( changes to ).

q Click Next.

05_579223 ch01.qxd 12/16/04 9:07 PM Page 9

Create a Forest Trust(Continued)

Y ou can create and verify both the trust selectionsand the trust itself in order to construct theelements that allow the trust to operate. You can

test that trust relationship while you are still using theCreate a New Trust Wizard. You can go back and correctany problems you may have introduced to the trust in theWizard and retest the trust before completing the Wizardand activating the trust relationship.

You can also choose to wait until later to verify the trust, ornot verify the trust at all. You can let your users verify the

trust in actual use. Using best practice procedures, youshould test both sides of the trust inside the Wizard to avoidpotential problems. You can also use the information youpresent in the Wizard to confirm how the trust isconfigured. You can verify the name of the domains youhave set to establish a trust, the direction of the trust, andthe trust type. You can verify that you have correctlycreated the trust authentication levels for both local andspecified domains.

w

e

t

r••

The Trust Selection Complete page of theWizard appears.

w Click Next.

Create a Forest Trust (continued)

10

The Trust Creation Complete page of theWizard appears.

e Click Next.

The Confirm Outgoing Trust page ofthe Wizard appears.

r Click the Yes, confirm the outgoingtrust option ( changes to ).

• You can click No ( changes to )when you want to delay confirmingtrusts until after you create acomplex trust structure.

t Click Next.

05_579223 ch01.qxd 12/16/04 9:07 PM Page 10

The Confirm Incoming Trust page of theWizard appears.

y Click the Yes, confirm the incoming trustoption ( changes to ).

• You can click No, do not confirm theoutgoing trust option ( changes to ).

Note: For more on clicking these options, see thesection, “Create a Shortcut Trust.”

u Click Next.

PA

RT

I

u

i

y ••


11

chapter1

The Completing the New Trust Wizardappears.

i Click Finish.

Your trust relationship is not complete untilauthentication changes are replicated to alldomain controllers in the forest.

Why would I choose to verify only oneside of the trust but not the other?

You can verify only one side of the trustwhen the other domain administer wants toverify the other side. You can also choose to verify only one side of the trust if youelect to create only one side of a trust in anExternal Trust. The New Trust Wizard offersyou selections that you use when you create different kinds of trusts. The ConfirmOutgoing Trust and Confirm Incoming Trustpages of the New Trust Wizard are whereyou can verify one, the other, or both sidesof the trust.

On the Completing the New Trust Wizardpage, why do astericks appear before thedomain names listed.

You have created an authentication situationwhere anyone in one domain mayauthenticate to any resource in anotherdomain. In Windows Server 2003, oneformat used to authenticate to a domain [email protected]. The asterick (*) is awildcard symbol that means any usernamethat appears before the domain name isconsidered valid. In other words,[email protected] can authenticate as well [email protected]. This permits any ofyour users, computers, or processes on thetest.com domain to automatically access thetrust without a separate logon process tothe other domain.

05_579223 ch01.qxd 12/16/04 9:07 PM Page 11

Create a Shortcut TrustY ou can create a shortcut trust that enables users

and processes in one child domain to directlyaccess users and resources in a child domain in a

different branch of the same domain tree without using thetrust relationship structure that goes through the parentdomain. This allows your users to access processes fasterthan when using the traditional two-way transitive trustrelationship. This is because the traditional relationshipprocesses users’ resource queries up one branch of thedomain tree, through the root, and down the other branch.

When you create a trust, even in the same tree, you arereally creating an authentication process between the

parent domain and each of the individual child domains.You are not aware of it because you created a trust that isautomatically transitive and transparent. For example, thedomain called engineers.research.microsoft.com needs toaccess the domain called programmers.development.microsoft.com. Each part of the namespace represents partof the authentication process that your users must traverse.You can create a path that allows engineers andprogrammers to trust each other as if they were the onlytwo domains in the tree.

For more on transitive and transparent trusts, see thesection “Understanding Active Directory Domains and Trust.

1

4

5

6

2

3


1 Click Start.



Create a Shortcut Trust

12

The Active Directory Domains and Trust snap-in appears.

4 Right-click the domain name.

5 Click Properties.

The Domain Properties dialog box opens.

6 Click New Trust.

05_579223 ch01.qxd 12/16/04 9:07 PM Page 12

The New Trust Wizard appears.

7 Click Next.

PA

RT

I

7

9

!

8

0

research.test.local


13

chapter1

The Sides of Trust page of the Wizardappears.

0 Click the This domain only option ( changes to ).

! Click Next.

The Trust Name page of the Wizardappears.

8 In the Name field, type the name of theother domain.

9 Click Next.

How does the Create a New Trust Wizardknow what kind of trust to create?

The Wizard uses your selections todetermine which types of trusts to offer you.When you type the name of a child domainin the Wizard, you indicate the type of trustyou want to create. The Wizard accessesthe Active Directory domain tree topology,identifies the domain you have indicatedis a child domain and determines that theonly type of trust you can create is ashortcut trust. If you are not offered theexpected type of trust when you run theWizard, you must go back and determineif you met all the required conditions forthis type of trust.

On the Trust Name page of the New TrustWizard, why must I type the DNS name ofthe forest rather than the NetBIOS name?

You can use NetBIOS name resolution insideof a single domain or domain tree. TheWindows Internet Name Server (WINS) canprovide hostname to address resolutionwithin the domain. You can use WINSservers in a single Windows domain to lethosts locate each other without the use ofDomain Name Services (DNS) servers. Twoor more forests are connected by WAN linksincluding the Internet and any traffic routedacross Wide Area Networks require DNShostname to address resolution. If you donot use the DNS name of a forest for aforest trust, your domain will not be ableto find the other domain.

05_579223 ch01.qxd 12/16/04 9:07 PM Page 13

Create a Shortcut Trust(Continued)

W hen you create a shortcut trust, you can verifyyour selections. Verifying the selections youmake allows you to construct a correctly

working shortcut trust the first time. By using the built-inchecking features in the New Trust Wizard, you ensure thatyour users can use the trust and have it behave reliably assoon as you create it.

Although the two domains in the shortcut trust share acontiguous namespace, you create a shortcut trust with theWizard in the same way you create any external trust. The

shortcut trust is nontransitive and not automatically two-way because you bypasss the two-way transitive features ofthe standard domain tree trust. While it might seem as ifyou can restrict access of one domain to the other bycreating a one-way trust, both child domains are still part ofthe two-way transitive trust created when the domain treewas made. You must configure a password for the trustwith this type of trust. The password is independent of theadministrative password that accesses the parent or any ofthe child domains. The shortcut trust password is unique tothe specific trust you create.

$

^

*

%

@

#

&

The Trust Password page of the Wizardappears.

@ Type the trust password.

# Type the trust password again in theConfirm trust password field.

$ Click Next.

The Trust Selections Complete page ofthe Wizard appears.

% Review the information.

^ Click Next.

Create a Shortcut Trust (continued)

14

The Trust Creation Complete pageappears.

& Review the information.

* Click Next.

05_579223 ch01.qxd 12/16/04 9:07 PM Page 14

The Confirm Outgoing Trust pageappears.

( Click the No, do not confirm theoutgoing trust option ( changes to ).

• You can also click the “Yes, confirmthe outgoing trust” option ( changes to ).

Note: For more on this option, see the section“Create a Forest Trust.”

) Click Next.

The Confirm Incoming Trust pageappears.

q Click the No, do not confirm theincoming trust option ( changes to ).

w Click Next.

Completing the New Trust Wizard pageappears.

e Click Finish.

Windows Server 2003 creates theshortcut trust.

PA

RT

I

)

w

e

q

(••


15

chapter1

When I create a shortcut trust betweentwo child domains in the same domaintree, why do I have issues with security?

You do not create a shortcut trust toincrease the level of security between twochild domains in the same tree. While itis true that you do not have to create a two-way trust automatically between thetwo child domains using the shortcut trust,the primary purpose of the trust is tocreate a direct authentication link betweentwo child domains that frequently accessresources between their two domains.Even if you created a one-way shortcuttrust, they still have a two-way transitivetrust relationship because they belongto the same tree.

Why does Active Directory periodicallychange the shortcut trust password for me?

You can manage trust security manually byperiodically changing the shortcut trustpassword, but Active Directory offers to dothis task for you to ease your burden ofadministration. Active Directory has a similarfeature where you specify the passwordaccount features for domain users. You canconfigure password accounts toautomatically force users to changepasswords at certain periods, enforce a highlevel of complexity in passwords andprevent users from using the same passwordtoo often. For more on configuringpassword accounts for domain users, andcreating a user, see Chapter 5.

05_579223 ch01.qxd 12/16/04 9:07 PM Page 15

Validate a TrustY ou can validate a trust after you initially create it to

verify that the trust relationship functions properlyor to diagnose a potential problem with the trust.

You can use this simple method to establish the usability ofa trust relationship between domains within the same treeor domains in two separate forests. Trusts are verycomplicated relationships and if you do not construct themcarefully, you can have a nonworking trust.

There are times when you may create a trust between twodomain trees in a forest or two separate domain forests andyou decide not to validate the trust relationship. When youvalidate a trust between two domains, you are verifying theauthentication set up between the domains.

You can also determine if a trust relationship, which waspreviously working, is no longer functioning properly. Youfirst check the network connections between networksubnets and separate network infrastructures to make surethat your domain controllers are all communicating. Youthen can investigate the trust relationship. Please note thatyou can use the validate a trust feature as the first step insolving a trust problem, but that function cannot repairany problem you find. Although the cause of a trustrelationship problem can be widely varied, you can go backand verify that all of the prerequisite conditions for creatingthe trust have been met.

1

4

5

6 7

2

3


development.willis.local Child Yes

1 Click Start.



Validate a Trust

16



5 Click Properties.

The Domain Properties dialog box appears.

6 Click the trust you want to validate.

7 Click Properties.

05_579223 ch01.qxd 12/16/04 9:07 PM Page 16

The Trust Properties dialog box appears.

8 Click Validate.

PA

RT

I

8

9

!@

#

0

willis.local


17

chapter1

The Active Directory authentication dialog boxappears.

9 Click the Yes, validate the incoming trustoption ( changes to ).

0 In the User name field, type the administratorlogon name.

! In the Password field, type the administrativepassword.

@ Click OK.

A trust validation message appears.

# Click OK.

The trust relationship is verified.

Can I verify both sides of a trust relationship atthe same time?

No. You can use the Domain Properties dialog box tochoose either the incoming or the outgoing trust andthen verify that trust. You cannot select both trustrelationships at the same time. You can verify onetrust direction and the other trust direction, one afterthe other, while the Active Directory Domains andTrusts snap-in is open. You can also verify differentsides of a trust at different times. For example, if youcreate a trust that users primarily access in onedirection and not the other, you can verify only thatone direction. If you want to later use the otherdirection, you can verify it then.

Do I have to have administrative privileges for the other domain in the trust to verify myoutgoing trust?

No. You can verify the outgoing trust from yourdomain because you already are authenticated.You only need the credentials of other domainadministrators to access their domains and toverify the incoming trusts from them to you. Whenyou verify your outgoing trust, a message appearsasking if you also want to verify the incomingtrust. You can verify the incoming trust, but youhave to verify the outgoing trust in a separaterequest.

05_579223 ch01.qxd 12/16/04 9:07 PM Page 17

Change Authentication Scope of a TrustY ou can construct or change a trust relationship

between your domain and another domain entity sothat the relationship is no longer domain-wide. Doing

so restricts access to secure resources to the other domain. Youcan designate a few users, or just one group or department,the authority to authenticate with the other domain throughthe trust relationship so that most users on your domaincannot access resources on the other domain forest.

You can only choose two different forest trustauthentication types. You can choose Forest-wide

authentication, which is the preference for situations whereboth domain forests belong to the same organization. Forexample, Cisco owns Linksys, although both organizationsmaintain their own domain namespace. Cisco and Linksysbenefit from having a forest trust.

You can choose Selective authentication when you want tocreate a forest trust between two completely separate andindependently owned organizations. With this option, youcan preserve the security of each organization. You canhave control of exactly which types of resources on yourdomain you allow the other domain to access.

1

4

5

2

3


1 Click Start.



Change Authentication Scope of a Trust

18



5 Click Properties.

05_579223 ch01.qxd 12/16/04 9:07 PM Page 18

The Domain Properties dialog boxappears.

6 Click the trust you want to change.

7 Click Properties.

PA

RT

I

9

!

6

0

7

8

test.local External No


19

chapter1

The Trust Properties dialog box appears.

8 Click the Authentication tab.

9 Click the Selective authentication option ( changes to ).

0 Click Apply.

! Click OK.

The Authentication Scope is nowchanged.

How do I ensure that the specific users orgroups designated to access the otherdomain forest can authenticate thatforest?

You can provide the specific authenticationlogon name and password only to thosegroups you want to have access. In order todo this, you must add the users or groupsto the Access Control Lists (ACLs) of theservices or resources you want them toaccess. When any of your domain usersattempt to access the shares in the otherdomain forest, instead of automaticallybeing authenticated, they see a logonscreen. Users without access do not knowthe proper username and password to logon to the other domain forest through theSelective Authentication.

What if I want two different groups in mydomain to only have access to separateresources in the other domain forest.

You can give both groups access to theselective authentication username andpassword credentials for the other forestdomain shares. In the Properties box for the resources you want a particular user orgroup to access, you must add that user or group to the Access Control List and setthe permission level you want them to have. You can then set the access controllists for the separate shares so that only one selected group from your domain hasany access to that share using the accesscontrol lists for each share in the otherforest. For more on access permissions, see Chapter 11.

05_579223 ch01.qxd 12/16/04 9:07 PM Page 19

understanding active directory domains and trusts...

Documents