Domain Trusts
The trust structure that was developed in Windows 2000 and is subsequently used in Windows .NET Server 2003 has been streamlined in comparison to the Windows NT trust structure. Windows NT trusts utilized individual explicitly defined trusts for each organizational domain. This created an exponential trust relationship, which was difficult, to say the least, to manage. Windows 2000 took the trust relationship to a new level of functionality, with transitive trusts supplying automatic paths "up and down the tree." These trusts are implicitly easier to understand and troubleshoot, and have greatly improved the manageability of Windows networks. In addition, Windows .NET Server 2003 provides for additional functionality, such as cross-forest transitive trusts, which expands the capabilities of the NOS even further.
Transitive Trusts
Two-way transitive trusts are automatically established upon the creation of a subdomain or with the addition of a domain tree into an Active Directory forest. Transitive trusts are normally two way, with each domain trusting the other domain. In other words, users in each domain can access resources such as printers or servers in the other domain if they are explicitly given rights in those domains. Bear in mind that just because two domains have a trust relationship does not mean that users from one domain can automatically access all the resources in the other domain; it is simply the first step in accessing those resources. The proper permissions still need to be applied.
Explicit Trusts
Explicit trusts are those that are set up manually, similar to the way that Windows NT trusts were constructed. A trust may be set up to join two unrelated domain trees into the same forest, for example. Explicit trusts are one way, but two explicit trusts can be established to create a two-way trust
When an explicit trust is set up to expedite the flow of trusts from one subdomain to another, it is known as a shortcut trust. Shortcut trusts simply allow authentication verifications to be processed faster, as opposed to having to move up and down a domain tree.
Another possible use for explicit trusts is to allow connectivity between an Active Directory forest and an external domain. These types of explicitly defined trusts are known as external trusts, and they allow different forests to share information without actually merging schema information or global catalogs.
NOTE
The capability to establish cross-forest trusts in Windows 2000 was limited to explicit trusts that were defined between each domain that needed access to a forest. Windows .NET Server 2003 adds the capability to establish cross-forest transitive trusts, where the trust relationships flow through separate forests.
Trust types
Communication between domains occurs through trusts. Trusts are authentication pipelines that must be present in order for users in one domain to access resources in another domain. Two default trusts are created when using the Active Directory Installation Wizard. There are four other types of trusts that can be created using the New Trust Wizard or the Netdom command-line tool.
Default trusts
By default, two-way, transitive trusts are automatically created when a new domain is added to a domain tree or forest root domain using the Active Directory Installation Wizard. The two default trust types are defined in the following table.
Trust type | Transitivity | Direction | Description |
Parent and child | Transitive | Two-way | By default, when a new child domain is added to an existing domain tree, a new parent and child trust is established. Authentication requests made from subordinate domains flow upward through their parent to the trusting domain.. |
Tree-root | Transitive | Two-way | By default, when a new domain tree is created in an existing forest, a new tree-root trust is established |
Other trusts
Four other types of trusts can be created using the New Trust Wizard or the Netdom command-line tool: external, realm, forest, and shortcut trusts. These trusts are defined in the following table.
Trust type | Transitivity | Direction | Description |
External | Nontransitive | One-way or two-way | Use external trusts to provide access to resources located on a Windows NT 4.0 domain or a domain located in a separate forest that is not joined by a forest trust. |
Realm | Transitive or nontransitive | One-way or two-way | Use realm trusts to form a trust relationship between a non-Windows Kerberos realm and a Windows Server 2003 domain.. |
Forest | Transitive | One-way or two-way | Use forest trusts to share resources between forests. If a forest trust is a two-way trust, authentication requests made in either forest can reach the other forest.. |
Shortcut | Transitive | One-way or two-way | Use shortcut trusts to improve user logon times between two domains within a Windows Server 2003 forest. This is useful when two domains are separated by two domain trees. |
When creating external, shortcut, realm, or forest trusts, you have the option to create each side of the trust separately or both sides of a trust simultaneously.
If you choose to create each side of the trust separately, then you will need to run the New Trust Wizard twice—once for each domain. When creating trusts using the method, you will need to supply the same trust password for each domain. As a security best practice, all trust passwords should be strong passwords.
If you choose to create both sides of the trust simultaneously, you will need to run the New Trust Wizard once. When you choose this option, a strong trust password is automatically generated for you.
You will need the appropriate administrative credentials for each domain between which you will be creating a trust.
Netdom.exe can also be used to create trusts.
No comments:
Post a Comment