Planning Trust Relationships in a Windows Server Environment
By configuring a trust relationship, it's possible to allow users in one to run at the Windows Server forest functional level or higher. In addition, Windows Server provides for another trust relationship called a shortcut trust. It is an additional trust relationship between two. Windows PKI also features built-in support for constrained PKI trust relationships, which let CA administrators qualify trust relationships.
Trust Relationships Within an Active Directory Forest Active Directory in Windows introduced the concept of two-way transitive trusts that flow upward through the domain hierarchy toward the tree root domain and across root domains of different trees in the same forest. This includes parent-child trusts between parent and child domains of the same tree and tree root trusts between the root domains of different trees in the same forest.
trust relationship between windows server and windows server error
Because of this arrangement, administrators in general no longer need to configure trust relationships between domains in a single forest. In a transitive trust relationship, Domain A automatically trusts Domain C through Domain B when the other two trusts are created. In addition, Windows Server provides for another trust relationship called a shortcut trust.Trust Relationship Between Two Different Domains
It is an additional trust relationship between two domains in the same forest, which optimizes the authentication process when a large number of users need to access resources in a different domain in the same forest. This capability is especially useful if the normal authentication path needs to cross several domains.
Suppose that users in the C. The authentication path must cross five domain boundaries to reach the C. If an administrator establishes a shortcut trust between the C. This is also true for shorter possible authentication paths such as C. This also facilitates the use of Kerberos when accessing resources located in another domain.
Interforest Trust Relationships Whenever there is need for accessing resources in a different forest, administrators have to configure trust relationships manually. Windows offers the capability to configure one-way, nontransitive trusts with similar properties to those mentioned previously, between domains in different forests. You have to explicitly configure every trust relationship between each domain in the different forests.
Planning Trust Relationships in a Windows Server 2003 Environment
If you need a two-way trust relationship, you have to manually configure each half of the trust separately. Windows Server makes it easier to configure interforest trust relationships. In this section, we study these trust relationships. In a nutshell, for forests that are operating at the Windows Server forest functional level, you can configure trusts that enable two-way transitive trust relationships between all domains in the relevant forests.
If the forest is operating at any other functional level, you still need to configure explicit trusts as in Windows Windows Server introduces the following types of interforest trusts: External trusts These one-way trusts are individual trust relationships set up between two domains in different forests, as can be done in Windows The forests involved may be operating at any forest functional level.
You can use this type of trust if you need to enable resource sharing only between specific domains in different forests.
You can also use this type of trust relationship between an Active Directory domain and a Windows NT 4. Forest trusts As already mentioned, these trusts include complete trust relationships between all domains in the relevant forests, thereby enabling resource sharing among all domains in the forests.
The trust relationship can be either one-way or two-way. Both forests must be operating at the Windows Server forest functional level. The use of forest trusts offers several benefits: They simplify resource management between forests by reducing the number of external trusts needed for resource sharing. They provide a wider scope of UPN authentications, which can be used across the trusting forests. They provide increased administrative flexibility by enabling administrators to split collaborative delegation efforts with administrators in other forests.
Directory replication is isolated within each forest. Forestwide configuration modifications such as adding new domains or modifying the schema affect only the forest to which they apply, and not trusting forests.
Comprehend Windows Server 2003 trust relationships and functional levels
They provide greater trustworthiness of authorization data. Administrators can use both the Kerberos and NTLM authentication protocols when authorization data is transferred between forests. Realm trusts These are one-way nontransitive trusts that you can set up between an Active Directory domain and a Kerberos V5 realm such as found in Unix and MIT implementations.
Establishing Trust Relationships This section examines creating two types of trust relationships with external forests: We then look at the shortcut trust, which is the only configurable type of trust relationship between two domains in the same forest. Before you begin to create trust relationships, you need to be aware of several prerequisites: You must be a member of the Enterprise Admins group or the Domain Admins group in the forest root domain.
New to Windows Serveryou can also be a member of the Incoming Forest Trust Builders group on the forest root domain. This group has the rights to create one-way, incoming forest trusts to the forest root domain.
If you hold this level of membership in both forests, you can set up both sides of an interforest trust at the same time. You must ensure that DNS is properly configured so that the forests can recognize each other.
In the case of a forest trust, both forests must be operating at the Windows Server forest functional level. Windows Server provides the New Trust Wizard to simplify the creation of all types of trust relationships. The following sections show you how to create these trust relationships. Know the variations of the procedures so that you can answer questions about the troubleshooting of problems related to interforest access as they relate to the options available when creating trusts.
In particular, be aware of the differences between the incoming and outgoing trust directions Creating an External Trust Follow Step by Step 3. In the console tree, right-click your domain name and choose Properties to display the Properties dialog box for the domain. Select the Trusts tab. This tab contains fields listing domains trusted by this domain and domains that trust this domain.
Initially these fields are blank, as in Figure 3. Click Next, and on the Trust Name page, type the name of the domain with which you want to create a trust relationship see Figure 3. The Trust Type page, shown in Figure 3. Select External Trust and then click Next. The Direction of Trust page, shown in Figure 3. Two-way Creates a two-way trust. This type of trust allows users in both domains to be authenticated in each other's domain. Users in the other domain cannot be authenticated in your domain.
Users in your domain cannot be authenticated in the other domain. Select a choice according to your network requirements and then click Next.
The Sides of Trust page, shown in Figure 3. Therefore, Windows creates an automatic trust relationship between every domain in a forest and every other domain in the forest. Since every domain automatically trusts every other domain, you might assume that there is no reason for anyone to ever run into a situation like my nightmare with the Army ever again, as long as all of the domains are Active Directory based.
In a way, this is true. If I were working for the Army today, it is certainly conceivable that I could create a forest that spans the entire base.
Each unit could still maintain their own domain, but the domain would be a part of the forest and forest wide trust relationships would be automatically created. In fact, I know of several large companies that have their networks configured in exactly that way. For example, consider my earlier example with the Army. A forest that spans the entire base would not be appropriate in that situation because of the fact that many of the units deal with classified information.
Just to be perfectly clear, I want to point out that having one domain trust another domain does not automatically give users in the trusted domain access to any of the resources in the trusting domain. Even so, a forest that spans an entire Army base would not be appropriate for the military because the Army would not want to risk having an Administrator grant permissions to access classified materials to someone in a different domain, either intentionally or maliciously.
OK, so the Army has a lot of picky rules and red tape, so what about a corporation? Well, there are even situations in the corporate world in which a company-wide forest is a bad idea.
Imagine for a moment that you work for a large company with offices in many different cities. It might even seem logical. Keep in mind though that the feasibility of such a design all boils down to trust. One day you get a phone call from the corporate headquarters and they want you to grant access to a particular file share to the Marketing group in the Las Vegas, Nevada office.
Remember that the Las Vegas office consists of an independent domain over which you have absolutely no control. The best that you can do is to hope that the network administrator in Las Vegas would not make someone who would do harm to your resources, a member of the Marketing group.
They were one-way, non-transitive trusts. Non-transitive means that if domain A trusts domain B, and domain C trusts domain B, there is no trust relationship between domain A and C.
One-way means that one domain is trusted—it has accounts to which the other domain wants to give access. If domain A trusts domain C, then domain C is said to be trusted and domain A to be trusting. Domain A can grant file access to users and groups in the C domain. Because the trust is one-way, a second trust—domain C trusting domain A—has to be created so that domain C can give domain resource access to users and groups from domain A. These features, one-way and non-transitive, meant, for many organizations, hundreds of trust relationships had to be created and managed.
Windows In a Windows forest, no domain is an island. All domains are universally connected via Kerberos-style transitive trusts. But what if you need to grant access to your domain resources to users in an NT domain or those in another forest? These trust relationships are NT-style trusts; non-transitive, one-way, no Kerberos. If users from multiple domains in forest A require access to resources in forest B, multiple external trusts must be made.
If multiple trusts are required, we begin to have the same problem as with NT trusts. Lots of management, lots of pain, diagrams blackened with arrows which represent the relationships.
A Better Trust Model Windows solves both of these problems: The need to create complete, Kerberos-style, transitive trusts between two forests, and the ability to limit what trust means, both in the forest trust, and in the external trust.