- Introduction
- Active Directory Trust Relationships
- Active Directory Forest and Domain Structure
- Active Directory Site Topology
- Chapter Summary
Active Directory Trust Relationships
Implement an Active Directory directory service forest and domain structure.
-
Establish trust relationships. Types of trust relationships might include external trusts, shortcut trusts, and crossforest trusts.
Prospects of globalization and international commerce have increased the possibility of companies operating multiforest network enterprise structures. Before we look at the intricacies of interforest trusts, we briefly review trust relationships as they exist within a single forest.
Before we look at the intricacies of Windows 2000 and interforest trusts, we will briefly review trust relationships as they existed within NT 4.0. Those of you who are upgrading from Windows NT 4.0 will be familiar with the trust relationships used to allow users in one domain to access resources in another domain. Basically, you could configure one domain to trust another one so that users in the second domain could access resources in the first one. Windows NT 4.0 did not create any trust relationships by itself; administrators in both the trusting and trusted domains had to configure every trust relationship. The domain where the resources are located is referred to as the trusting or resource domain, and the domain where the accounts are kept is referred to as the trusted or accounts domain.
Some characteristics of trust relationships in Windows NT 4.0 follow:
-
In a one-way trust relationship, the trusting domain makes its resources available to the trusted domain (see Figure 3.1). With the appropriate permissions, a user from the trusted domain can access resources on the trusting domain. However, users in the trusting domain are unable to access resources in the trusted domain, unless a two-way trust is set up.
-
A trust relationship exists between only two domains. Each trust relationship has just one trusting domain and just one trusted domain.
-
A two-way trust relationship between domains is simply the existence of two one-way trusts in opposite directions between the domains.
-
In Windows NT 4.0, trust relationships were not transitive; that is, if Domain A trusts Domain B and Domain B trusts Domain C, these relationships do not mean that Domain A automatically trusts Domain C. To have such a relationship, a third trust relationship must be set up whereby Domain A trusts Domain C (see Figure 3.2).
Figure 3.1 In a one-way trust relationship, the trusting domain holds the resources that users in the trusted domain need to access.
Trust Relationships Within an Active Directory Forest
Active Directory in Windows 2000 introduced the concept of two-way transitive trusts that flow upward through the domain hierarchy toward the tree root domain and across root domains of different trees in the same forest. This includes parent-child trusts between parent and child domains of the same tree and tree root trusts between the root domains of different trees in the same forest. Because of this arrangement, administrators in general no longer need to configure trust relationships between domains in a single forest.
NOTE
Managing Trust Relationships You should be aware that only members of the Domain Admins group can manage trusts.
Figure 3.2 If Domain A trusts Domain B and Domain B trusts Domain C in a nontransitive trust, Domain A does not trust Domain C. In a transitive trust relationship, Domain A automatically trusts Domain C through Domain B when the other two trusts are created.
In addition, Windows Server 2003 provides for another trust relationship called a shortcut trust. It is an additional trust relationship between two domains in the same forest, which optimizes the authentication process when a large number of users need to access resources in a different domain in the same forest. This capability is especially useful if the normal authentication path needs to cross several domains. Consider Figure 3.3 as an example.
Figure 3.3 Shortcut trusts are useful if the authentication path to another domain in the forest has to cross several domain boundaries.
Suppose that users in the C.A.A.com domain need to log on to the C.B.B.com domain, which is located in the second tree of the same forest. The authentication path must cross five domain boundaries to reach the C.B.B.com domain. If an administrator establishes a shortcut trust between the C.A.A.com and C.B.B.com domains, the logon process is speeded up considerably. This is also true for shorter possible authentication paths such as C.A.A.com to B.A.com or B.A.com to B.B.com. This also facilitates the use of Kerberos when accessing resources located in another domain.
Interforest Trust Relationships
Whenever there is need for accessing resources in a different forest, administrators have to configure trust relationships manually. Windows 2000 offers the capability to configure one-way, nontransitive trusts with similar properties to those mentioned previously, between domains in different forests. You have to explicitly configure every trust relationship between each domain in the different forests. If you need a two-way trust relationship, you have to manually configure each half of the trust separately.
Windows Server 2003 makes it easier to configure interforest trust relationships. In this section, we study these trust relationships. In a nutshell, for forests that are operating at the Windows Server 2003 forest functional level, you can configure trusts that enable two-way transitive trust relationships between all domains in the relevant forests. If the forest is operating at any other functional level, you still need to configure explicit trusts as in Windows 2000.
Windows Server 2003 introduces the following types of interforest trusts:
-
External trusts These one-way trusts are individual trust relationships set up between two domains in different forests, as can be done in Windows 2000. The forests involved may be operating at any forest functional level. You can use this type of trust if you need to enable resource sharing only between specific domains in different forests. You can also use this type of trust relationship between an Active Directory domain and a Windows NT 4.0 domain.
-
Forest trusts As already mentioned, these trusts include complete trust relationships between all domains in the relevant forests, thereby enabling resource sharing among all domains in the forests. The trust relationship can be either one-way or two-way. Both forests must be operating at the Windows Server 2003 forest functional level. The use of forest trusts offers several benefits:
-
They simplify resource management between forests by reducing the number of external trusts needed for resource sharing.
-
They provide a wider scope of UPN authentications, which can be used across the trusting forests.
-
They provide increased administrative flexibility by enabling administrators to split collaborative delegation efforts with administrators in other forests.
-
Directory replication is isolated within each forest. Forestwide configuration modifications such as adding new domains or modifying the schema affect only the forest to which they apply, and not trusting forests.
-
They provide greater trustworthiness of authorization data. Administrators can use both the Kerberos and NTLM authentication protocols when authorization data is transferred between forests.
-
Realm trusts These are one-way nontransitive trusts that you can set up between an Active Directory domain and a Kerberos V5 realm such as found in Unix and MIT implementations.
Establishing Trust Relationships
This section examines creating two types of trust relationships with external forests: external trusts and forest trusts. We then look at the shortcut trust, which is the only configurable type of trust relationship between two domains in the same forest.
Before you begin to create trust relationships, you need to be aware of several prerequisites:
You must be a member of the Enterprise Admins group or the Domain Admins group in the forest root domain. New to Windows Server 2003, you can also be a member of the Incoming Forest Trust Builders group on the forest root domain. This group has the rights to create one-way, incoming forest trusts to the forest root domain. If you hold this level of membership in both forests, you can set up both sides of an interforest trust at the same time.
You must ensure that DNS is properly configured so that the forests can recognize each other.
In the case of a forest trust, both forests must be operating at the Windows Server 2003 forest functional level.
Windows Server 2003 provides the New Trust Wizard to simplify the creation of all types of trust relationships. The following sections show you how to create these trust relationships.
TIP
Trust Creation Can Be Tricky! Know the variations of the procedures so that you can answer questions about the troubleshooting of problems related to interforest access as they relate to the options available when creating trusts. In particular, be aware of the differences between the incoming and outgoing trust directions
Creating an External Trust
Follow Step by Step 3.1 to create an external trust with a domain in another forest or a Windows NT 4.0 domain.
STEP BY STEP
3.1 Creating an External Trust
-
Click Start, Administrative Tools, Active Directory Domains and Trusts to open the Active Directory Domains and Trusts snap-in.
-
In the console tree, right-click your domain name and choose Properties to display the Properties dialog box for the domain.
-
Select the Trusts tab. This tab contains fields listing domains trusted by this domain and domains that trust this domain. Initially these fields are blank, as in Figure 3.4.
-
Click New Trust to start the New Trust Wizard, as shown in Figure 3.5.
-
Click Next, and on the Trust Name page, type the name of the domain with which you want to create a trust relationship (see Figure 3.6). Then click Next.
-
The Trust Type page, shown in Figure 3.7, offers you a choice between an external trust and a forest trust. Select External Trust and then click Next.
-
The Direction of Trust page, shown in Figure 3.8, offers you a choice of the following three types of trusts:
-
Two-way Creates a two-way trust. This type of trust allows users in both domains to be authenticated in each other's domain.
-
One-way: incoming Creates a one-way trust in which users in your (trusted) domain can be authenticated in the other (trusting) domain. Users in the other domain cannot be authenticated in your domain.
-
One-way: outgoing Creates a one-way trust that users in the other (trusted) domain can be authenticated in your (trusting) domain. Users in your domain cannot be authenticated in the other domain.
-
Select a choice according to your network requirements and then click Next.
-
The Sides of Trust page, shown in Figure 3.9, allows you to complete both sides of the trust if you have the appropriate permissions in both domains. If this is so, select Both This Domain and the Specified Domain. Otherwise, select This Domain Only and then click Next.
-
If you selected This Domain Only on the Sides of Trust page, the Trust Password page appears, asking for a password for the trust. You must specify the same password when creating the trust in the other domain. Type and confirm a password that conforms to password security guidelines, click Next, and then skip to step 13. Ensure that you remember this password.
-
If you selected Both This Domain and the Specified Domain on the Sides of Trust page, the Outgoing Trust PropertiesLocal Domain page, shown in Figure 3.10, offers the following two choices in the scope of authentication for users in the trusted domain:
-
Domain-Wide Authentication This option authenticates users from the trusted domain for all resources in the local domain. Microsoft recommends this option only for trusts within the same organization.
-
Selective Authentication This option does not create any default authentication. You must grant access to each server that users need to access. Microsoft recommends this option for trusts that involve separate organizations, such as contractor relationships.
-
Select the appropriate type of authentication and then click Next.
-
The Trust Selections Complete page displays a list of the options that you have configured (see Figure 3.11). Review these settings to ensure that you have made the correct selections. If any settings are incorrect, click Back and correct them. Then click Next.
-
The Trust Creation Complete page informs you that the trust relationship was successfully created. Click Next to finish the process.
-
The Confirm Outgoing Trust page asks whether you want to confirm the outgoing trust (see Figure 3.12). If you have configured the trust from the other side, click Yes, Confirm the Outgoing Trust. Otherwise, click No, Do Not Confirm the Outgoing Trust. Then click Next.
-
The Confirm Incoming Trust page asks whether you want to confirm the incoming trust. Choices are the same as on the previous page. If you want to confirm this trust, enter a username and password for an administrator account in the other domain.
-
The Completing the New Trust Wizard page verifies the confirmation of the trust from the other side. Click Finish.
-
You are returned to the Trusts tab of the domain's Properties dialog box (see Figure 3.13). The name of the domain with which you configured the trust now appears in one or both of the fields according to the trust type you created. Click OK to close this dialog box.
Figure 3.4 You can manage trusts from the Trusts tab of a domain's Properties dialog box.
Figure 3.5 You can create new trust relationships by using the New Trust Wizard.
Figure 3.6 On the Trust Name page, you can enter the DNS or NetBIOS name of the domain with which you want to create a trust.
Figure 3.7 You can select the trust type required from the Trust Type page.
Figure 3.8 The Direction of Trust page offers you options for creating one-way or two-way trusts.
Figure 3.9 The Sides of Trust page enables you to complete both sides of the trust if you have the appropriate permissions.
Figure 3.10 The Outgoing Trust Authentication Level-Local Domain page provides two choices of authentication scope for users in the trusted domain.
Figure 3.11 The Trust Selections Complete page displays a review of the trust settings you have specified.
Figure 3.12 The Confirm Outgoing Trust page provides a chance to confirm the other side of the trust.
Figure 3.13 After you have created the trust relationship, the Trusts tab of the domain's Properties dialog box shows the name of the trusted domain together with the trust type and transitivity.
Creating a Forest Trust
Recall that this type of trust can be created only between two Active Directory forests that are both operating at the Windows Server 2003 forest functional level. Follow Step by Step 3.2 to create a forest trust.
STEP BY STEP
3.2 Creating a Forest Trust
-
Make sure that the forest functional level of both forests is set to Windows 2003. See Chapter 2, "Planning and Implementing an Active Directory Infrastructure," for details.
-
Follow steps 15 of Step by Step 3.1 to access the Trust Name page of the New Trust Wizard.
-
Type the name of the forest root domain with which you want to create a trust and then click Next.
-
On the Trust Type page, select Forest Trust and then click Next.
-
On the Direction of Trust page, select the appropriate direction for the trust and then click Next.
-
On the Sides of Trust page, specify whether you want to create the trust for this domain only or for both this domain and the specified domain, and then click Next.
-
If you are creating the trust for both forests, specify a username and password for the specified forest and then click Next. If you are creating the trust for this forest only, specify a trust password, which the administrator in the other forest will need to specify to complete the creation of the trust for her forest. Then click Next.
-
The Outgoing Trust Authentication LevelLocal Forest page, shown in Figure 3.14, provides two choices that are similar to those provided by the Outgoing Trust Authentication LevelLocal Domain page. Make a choice and then click Next.
-
The Trust Selections Complete page displays a list of the options that you have configured (refer to Figure 3.11). Review these settings to ensure that you have made the correct selections. If any settings are incorrect, click Back and correct them. Then click Next.
-
The Trust Creation Complete page informs you that the trust relationship was successfully created. Click Next to finish the process.
-
The Confirm Outgoing Trust page asks whether you want to confirm the outgoing trust (refer to Figure 3.12). If you have configured the trust from the other side, click Yes, Confirm the Outgoing Trust. Otherwise, click No, Do Not Confirm the Outgoing Trust. Then click Next.
-
The Confirm Incoming Trust page asks whether you want to confirm the incoming trust. Choices are the same as on the previous page. If you want to confirm this trust, enter a username and password for an administrator account in the other forest.
-
The Completing the New Trust Wizard page verifies the confirmation of the trust from the other side. Click Finish.
-
You are returned to the Trusts tab of the domain's Properties dialog box (refer to Figure 3.13). The name of the domain with which you configured the trust now appears in one or both of the fields according to the trust type you created. Click OK to close this dialog box.
Figure 3.14 The Outgoing Trust Authentication LevelLocal Forest page provides two choices of authentication scope for users in the trusted forest.
Creating a Shortcut Trust
Recall that this type of trust can be created between child domains in the same forest to expedite crossdomain authentication or resource access. Follow Step by Step 3.3 to create a shortcut trust relationship.
STEP BY STEP
3.3 Creating a Shortcut Trust
In Active Directory Domains and Trusts, right-click your domain and choose Properties.
On the domain's Properties dialog box, select the Trusts tab and click New Trust to start the New Trust Wizard.
Click Next, and on the Trust Name and Password page, type the DNS name or NetBIOS name of the domain with which you want to establish a shortcut trust and then click Next.
-
On the Direction of Trust page (refer to Figure 3.8), choose the appropriate option (two-way, one-way incoming, or one-way outgoing) and then click Next.
On the Sides of Trust page, specify whether you want to create the trust for this domain only or for both this domain and the specified domain, and then click Next.
If you are creating the trust for both domains, specify a username and password for an administrator account in the specified domain. If you are creating the trust for this domain only, specify a trust password, which the administrator in the other domain will need to specify to complete the creation of the trust for her domain. Then click Next.
-
The Trust Selections Complete page displays a summary of the settings you have entered (refer to Figure 3.11). Click Back if you need to make any changes to these settings. Then click Next to create the trust.
The Trust Creation Complete page informs you that the trust relationship was successfully created. Click Next to configure the trust.
The Confirm Outgoing Trust page asks whether you want to confirm the other side of the trust. If you have created both sides of the trust, click Yes. Otherwise, click No and then click Next.
The Confirm Incoming Trust page asks whether you want to confirm the incoming trust. Choices are the same as on the previous page. If you want to confirm this trust, enter a username and password for an administrator account in the other domain.
-
The Completing the New Trust Wizard page informs you that you have created the trust. Click Finish to return to the Trusts tab of the domain's Properties dialog box (refer to Figure 3.13). The name of the domain with which you configured the trust now appears in one or both of the fields according to the trust type you created. Click OK to close this dialog box.
If you have created only one side of the trust, an administrator in the other domain needs to repeat this procedure to create the trust from her end. She will need to enter the trust password you specified in this procedure.
A Separate Research Forest
A major aircraft manufacturer landed a contract with NASA to design one module of a prototype spacecraft for a manned Mars mission. Realizing that the research necessary to complete this project successfully required a high level of security, management asked the senior network administrator to set up a separate forest in the organization's Windows Server 2003 Active Directory design.
For the project to succeed, researchers needed access to certain data stored in the organization's existing forest. Their user accounts would be in the new forest. Users in the existing forest did not need to access data in the research forest. The administrator had to choose a trust model that would enable the appropriate levels of access.
With these needs in mind, the administrator decided to implement a one-way external trust relationship in which the existing forest trusted the research forest. It was then possible to place the researchers who needed access into a group that could be granted access to the appropriate resources in the existing forest. Because the trust relationship was one-way, no access in the opposite direction was possible. We take a further look at the use of groups to grant crossforest access in Chapter 6, "Implementing User, Computer, and Group Strategies."
Managing Trust Relationships
After you have created a crossforest trust, the following limited set of configuration options is available from the trust's Properties dialog box:
Validate trust relationships This option enables you to verify that a trust has been properly created and that the forests can communicate with each other.
Change the authentication scope This option enables you to change the selection of domainwide authentication or selective authentication that you made during creation of the trust, should you need to modify access control to the trusting forest's resources.
Configure name suffix routing This option provides a mechanism that you can use to specify how authentication requests are routed across Windows Server 2003 forests. It is available only when forest trusts are used.
Validating Trust Relationships
To access the trust's Properties dialog box and validate a trust relationship, follow Step by Step 3.4.
STEP BY STEP
3.4 Validating a Trust Relationship
-
In Active Directory Domains and Trusts, right-click your domain name and choose Properties.
-
On the Trusts tab of the domain's Properties dialog box, select the name of the other domain or forest and click Properties.
-
This action displays the trust's Properties dialog box, as shown in Figure 3.15.
-
To validate the trust relationship, click Validate.
-
If the trust is in place and active, you receive a confirmation message box, as shown in Figure 3.16. Otherwise, you receive an error message, such as the one in Figure 3.17.
Figure 3.15 The General tab of the Properties dialog box of the other domain provides information on the trust's properties.
Figure 3.16 This message box informs you that the trust is valid.
Figure 3.17 If the trust cannot be validated, an error message such as this informs you of the problem.
Changing the Authentication Scope
Follow Step by Step 3.5 to change the authentication scope that you set when you create the trust.
STEP BY STEP
3.5 Changing the Authentication Scope of a Trust Relationship
-
Select the Authentication tab of the trust's Properties dialog box, as shown in Figure 3.18.
Select either Domain-Wide Authentication or Selective Authentication (as already described in Step by Step 3.1) and then click OK.
Figure 3.18 The Authentication tab of a trust's Properties dialog box allows you to change the trust's authentication scope.
Configuring Name Suffix Routing
When you initially create a forest trust, all unique name suffixes are routed by default. A unique name suffix is a name suffix within a forest, such as a User Principal Name (UPN) suffix, Service Principal Name (SPN) suffix, or domain name system (DNS) forest or tree name that is not subordinate to any other name suffix. For example, the DNS forest name quepublishing.com is a unique name suffix within the quepublishing.com forest. Consequently, name suffixes in one forest do not exist in another forest.
Name suffix routing is a mechanism that can manage the routing of authentication requests across Windows Server 2003 forests that are connected by forest trust relationships. It enables name suffixes that do not exist in one forest to be used to route authentication requests to another forest. This includes child name suffixes. As a result, when you view name suffixes in the Name Suffix Routing tab of the domain's Properties dialog box, as shown in Figure 3.19, they are prefixed by * to indicate that they refer to the parent domain and all child domains. If you add new child domains to either forest, they automatically inherit the name suffix routing properties of other domains in the forest. After you add a new name suffix and validate the trust, it appears on the Name Suffixes tab with a status (shown on the Routing column) of Disabled. The Status column indicates New for a newly created name suffix.
Figure 3.19 The Name Suffix Routing tab of a trust's Properties dialog box allows you to enable or disable name suffix routing between forests.
You may need to disable name suffix routing to prevent certain authentication requests from flowing across the forest trust. You may also need to enable name suffix routing for additional name suffixes you have created or to exclude a child name suffix from routing. Follow Step by Step 3.6 to configure these name suffix routing options.
STEP BY STEP
3.6 Configuring Name Suffix Routing
-
On the Name Suffix Routing tab of the trust's Properties dialog box, select the suffix whose routing status is to be changed and then click Enable or Disable as required.
-
The routing status in the Routing column changes. In the case of enabling a new name suffix routing, the New entry disappears from the Status column.
-
To exclude a child name suffix from routing, select the parent suffix and click Edit to display the Edit domain name dialog box (see Figure 3.20).
-
To exclude the name suffix, click Add. On the Add Excluded Name Suffix dialog box, type the name of the suffix and then click OK (see Figure 3.21).
-
The excluded name suffix appears on the Edit domain name dialog box. Click OK.
Figure 3.20 You can exclude a name suffix that does not exist in the specified forest from routing by specifying it on the Edit domain name dialog box.
Figure 3.21 The Add Excluded Name Suffix dialog box allows you to exclude a name suffix from routing to the specified forest.
NOTE
Name Conflicts Can Occur If the same unique name suffix is used in two forests connected by a forest trust, a conflict (or collision) might occur. In such situations, the Status column on the Name Suffix Routing tab lists the conflict in the indicated domain. You cannot enable this suffix for name routing until you have removed the conflicting name suffix for the indicated domain.
Removing a Crossforest Trust Relationship
Sometimes you might need to remove a trust relationship between two forests. For example, a contract may have completed or been terminated, an acquisition of one company by another may have fallen through, and so on. You may need to remove and re-create a trust relationship if you have incorrectly specified properties such as an incorrect trust type or direction.
You can remove a trust relationship from the Active Directory Domains and Trusts snap-in by following Step by Step 3.7.
STEP BY STEP
3.7 Removing a Trust Relationship
-
In Active Directory Domains and Trusts, right-click your domain name and choose Properties.
-
On the Trusts tab of the domain's Properties dialog box, select the trust to be removed and click Remove.
-
You are asked whether you want to remove the trust from the local domain only or from the local domain and the other domain (see Figure 3.22). If you want to remove the trust from both domains, select Yes, Remove the Trust from Both the Local Domain and the Other Domain, type the username and password for an account with administrative privileges in the other domain, and then click OK.
-
Click Yes on the next dialog box to confirm removing the trust.
-
You are returned to the Trust tab of the domain's Properties dialog box. Notice that the name of the other domain has been removed.
Figure 3.22 You are asked whether you want to remove the trust from the local domain only or from the local domain and the other domain.
Understanding Trust Relationships
Following are points to remember regarding trust relationships:
In a one-way trust relationship, the trusting domain makes its resources available to users in the trusted domain. A two-way trust relationship consists of two one-way trusts in opposite directions.
By default in Active Directory, all domains in a forest trust each other with two-way transitive trust relationships. You can also create shortcut trusts between child domains to facilitate rapid authentication and resource access.
You need to explicitly set up all trust relationships between different forests. You can set up either external one- or two-way trusts between specific domains in the two forests or a forest trust in which all domains in the two forests trust each other with twoway trusts.
A one-way incoming trust allows users in your (trusted) domain to be authenticated in the other (trusting) domain, whereas a one-way outgoing trust allows users in the other (trusted) domain to be authenticated in your (trusting) domain.
Two authentication scopes are available: Domainwide authentication allows users from the trusted domain to access all resources in the local domain. Selective authentication does not create any default authentication; you must grant access to each server that users need to access. You can change the authentication scope after trusts are set up, if necessary.
You can enable name suffix routing that simplifies authentication requests being routed to another forest. New child domains added to either forest automatically inherit these name suffix routing properties; however, you can disable name suffix routing when required or exclude a child name suffix from routing.
WARNING
Removing the Trust If you remove the trust from the local domain only, it still appears from the other domain but generates an error if you attempt to validate it. An administrator from the other domain must remove the trust from that domain as well.