- Objectives
- Outline
- Study Strategies
- Introduction
- Active Directory Trust Relationships
- Active Directory Forest and Domain Structure
- Active Directory Site Topology
- Chapter Summary
- Apply Your Knowledge
Active Directory Trust Relationships
- Objective
-
Implement an Active Directory directory service forest and domain structure
- Establish trust relationships. Types of trust relationships might include external trusts, shortcut trusts, and cross-forest trusts.
Prospects of globalization and international commerce have increased the possibility of companies operating multiforest network enterprise structures. Before we look at the intricacies of interforest trusts, we briefly review trust relationships as they exist within a single forest.
Before we look at the intricacies of Windows 2000 and interforest trusts, we will briefly review trust relationships as they existed within NT 4.0. Those of you who are upgrading from Windows NT 4.0 will be familiar with the trust relationships used to allow users in one domain to access resources in another domain. You could configure one domain to trust another one so that users in the second domain could access resources in the first one. Windows NT 4.0 did not create any trust relationships by itself; administrators in both the trusting and trusted domains had to configure every trust relationship. The domain where the resources are located is referred to as the trusting or resource domain, and the domain where the accounts are kept is referred to as the trusted or accounts domain.
Some characteristics of trust relationships in Windows NT 4.0 follow:
- In a one-way trust relationship, the trusting domain makes its resources available to the trusted domain (see Figure 3.1). With the appropriate permissions, a user from the trusted domain can access resources on the trusting domain. However, users in the trusting domain are unable to access resources in the trusted domain, unless a two-way trust is set up.
Figure 3.1 In a one-way trust relationship, the trusting domain holds the resources that users in the trusted domain need to access.
- A trust relationship exists between only two domains. Each trust relationship has just one trusting domain and just one trusted domain.
- A two-way trust relationship between domains is simply the existence of two one-way trusts in opposite directions between the domains.
- In Windows NT 4.0, trust relationships were not transitive; that is, if Domain A trusts Domain B and Domain B trusts Domain C, these relationships do not mean that Domain A automatically trusts Domain C. To have such a relationship, a third trust relationship must be set up whereby Domain A trusts Domain C (see Figure 3.2).
Figure 3.2 If Domain A trusts Domain B and Domain B trusts Domain C in a nontransitive trust, Domain A does not trust Domain C. In a transitive trust relationship, Domain A automatically trusts Domain C through Domain B when the other two trusts are created.
Trust Relationships Within an Active Directory Forest
Active Directory in Windows 2000 introduced the concept of two-way transitive trusts that flow upward through the domain hierarchy toward the tree root domain and across root domains of different trees in the same forest. This includes parent-child trusts between parent and child domains of the same tree and tree root trusts between the root domains of different trees in the same forest. Because of this arrangement, administrators no longer need to configure trust relationships between domains in a single forest.
In addition, Windows Server 2003 provides for another trust relationship called a shortcut trust. It is an additional trust relationship between two domains in the same forest, which optimizes the authentication process when a large number of users need to access resources in a different domain in the same forest. This capability is especially useful if the normal authentication path needs to cross several domains. Consider Figure 3.3 as an example.
Figure 3.3 Shortcut trusts are useful if the authentication path to another domain in the forest has to cross several domain boundaries.
Suppose that users in the C.A.A.com domain need to log on to the C.B.B.com domain, which is located in the second tree of the same forest. The authentication path must cross five domain boundaries to reach the C.B.B.com domain. If an administrator establishes a shortcut trust between the C.A.A.com and C.B.B.com domains, the logon process speeds up considerably. This is also true for shorter possible authentication paths such as C.A.A.com to B.A.com or B.A.com to B.B.com. This also facilitates the use of Kerberos when accessing resources located in another domain.
Interforest Trust Relationships
Whenever there is need for accessing resources in a different forest, administrators have to configure trust relationships manually. Windows 2000 offers the capability to configure one-way, nontransitive trusts with similar properties to those mentioned previously, between domains in different forests. You have to configure every trust relationship between each domain in the different forests explicitly. If you need a two-way trust relationship, you have to manually configure each half of the trust separately.
Windows Server 2003 makes it easier to configure interforest trust relationships. In this section, we study these trust relationships. In a nutshell, for forests that are operating at the Windows Server 2003 forest functional level, you can configure trusts that enable two-way transitive trust relationships between all domains in the relevant forests. If the forest is operating at any other functional level, you still need to configure explicit trusts as in Windows 2000.
Windows Server 2003 introduces the following types of interforest trusts:
- External trusts—These one-way trusts are individual trust relationships set up between two domains in different forests, as could be done in Windows 2000. The forests involved might be operating at any forest functional level. You can use this type of trust if you need to enable resource sharing only between specific domains in different forests. You can also use this type of trust relationship between an Active Directory domain and a Windows NT 4.0 domain.
-
Forest trusts—As already mentioned, these trusts include complete trust relationships between all domains in the relevant forests, thereby enabling resource sharing among all domains in the forests. The trust relationship can be either one-way or two-way. Both forests must be operating at the Windows Server 2003 forest functional level. The use of forest trusts offers several benefits:
- They simplify resource management between forests by reducing the number of external trusts needed for resource sharing.
- They provide a wider scope of UPN authentications, which can be used across the trusting forests.
- They provide increased administrative flexibility by enabling administrators to split collaborative delegation efforts with administrators in other forests.
- Directory replication is isolated within each forest. Forestwide configuration modifications such as adding new domains or modifying the schema affect only the forest to which they apply, and not trusting forests.
- They provide greater trustworthiness of authorization data. Administrators can use both the Kerberos and NTLM authentication protocols when authorization data is transferred between forests.
- Realm trusts—These are one-way nontransitive trusts that you can set up between an Active Directory domain and a Kerberos V5 realm such as found in UNIX and MIT implementations.
Establishing Trust Relationships
This section examines creating two types of trust relationships with external forests: external trusts and forest trusts. We then look at the shortcut trust, which is the only configurable type of trust relationship between two domains in the same forest.
Before you begin to create trust relationships, you must be aware of several prerequisites:
- You must be a member of the Enterprise Admins group or the Domain Admins group in the forest root domain. New to Windows Server 2003, you can also be a member of the Incoming Forest Trust Builders group on the forest root domain. This group has the rights to create one-way, incoming forest trusts to the forest root domain. If you hold this level of membership in both forests, you can set up both sides of an interforest trust at the same time.
- You must ensure that DNS is properly configured so that the forests can recognize each other. You might have to configure conditional forwarding to enable DNS servers in one forest to forward queries to DNS servers in the other forest so that resources are properly located.
- In the case of a forest trust, both forests must be operating at the Windows Server 2003 forest functional level.
Windows Server 2003 provides the New Trust Wizard to simplify the creation of all types of trust relationships. The following sections show you how to create these trust relationships.
Creating an External Trust
Follow Step by Step 3.1 to create an external trust with a domain in another forest or a Windows NT 4.0 domain.
Step by Step 3.1 Creating an External Trust
- Click Start, Administrative Tools, Active Directory Domains and Trusts to open the Active Directory Domains and Trusts snap-in.
- In the console tree, right-click your domain name and choose Properties to display the Properties dialog box for the domain.
- Select the Trusts tab. This tab contains fields listing domains trusted by this domain and domains that trust this domain. Initially these fields are blank, as in Figure 3.4.
Figure 3.4 You can manage trusts from the Trusts tab of a domain's Properties dialog box.
- Click New Trust to start the New Trust Wizard, as shown in Figure 3.5.
Figure 3.5 You can create new trust relationships by using the New Trust Wizard.
- Click Next, and on the Trust Name page, type the name of the domain with which you want to create a trust relationship (see Figure 3.6). Then click Next.
Figure 3.6 On the Trust Name page, you can enter the DNS or NetBIOS name of the domain with which you want to create a trust.
- The Trust Type page, shown in Figure 3.7, offers you a choice between an external trust and a forest trust. Select External Trust and then click Next.
Figure 3.7 You can select the trust type required from the Trust Type page.
- The Direction of Trust page, shown in Figure 3.8, offers you a choice of the following three types of trusts:
- Two-Way—Creates a two-way trust. This type of trust allows users in both domains to be authenticated in each other's domain.
- One-Way: Incoming—Creates a one-way trust in which users in your (trusted) domain can be authenticated in the other (trusting) domain. Users in the other domain cannot be authenticated in your domain.
- One-Way: Outgoing—Creates a one-way trust that users in the other (trusted) domain can be authenticated in your (trusting) domain. Users in your domain cannot be authenticated in the other domain.
Figure 3.8 The Direction of Trust page offers you options for creating one-way or two-way trusts.
- Select a choice according to your network requirements and then click Next.
- The Sides of Trust page, shown in Figure 3.9, allows you to complete both sides of the trust if you have the appropriate permissions in both domains. If this is so, select Both This Domain and the Specified Domain. Otherwise, select This Domain Only and then click Next.
Figure 3.9 The Sides of Trust page enables you to complete both sides of the trust if you have the appropriate permissions.
- If you selected This Domain Only on the Sides of Trust page, the Trust Password page appears, asking for a password for the trust. You must specify the same password when creating the trust in the other domain. Type and confirm a password that conforms to password security guidelines, click Next, and then skip to step 13. Ensure that you remember this password.
- If you selected Both This Domain and the Specified Domain on the Sides of Trust page, the Outgoing Trust Properties—Local Domain page, shown in Figure 3.10, offers the following two choices in the scope of authentication for users in the trusted domain:
- Domain-Wide Authentication—This option authenticates users from the trusted domain for all resources in the local domain. Microsoft recommends this option only for trusts within the same organization.
- Selective Authentication—This option does not create any default authentication. You must grant access to each server that users need to access. Microsoft recommends this option for trusts that involve separate organizations, such as contractor relationships.
Figure 3.10 The Outgoing Trust Authentication Level-Local Domain page provides two choices of authentication scope for users in the trusted domain.
- Select the appropriate type of authentication and then click Next.
- The Trust Selections Complete page displays a list of the options that you have configured (see Figure 3.11). Review these settings to ensure that you have made the correct selections. If any setting is incorrect, click Back and correct it. Then click Next.
Figure 3.11 The Trust Selections Complete page displays a review of the trust settings you specified.
- The Trust Creation Complete page informs you that the trust relationship was successfully created. Click Next to finish the process.
- The Confirm Outgoing Trust page asks whether you want to confirm the outgoing trust (see Figure 3.12). If you have configured the trust from the other side, click Yes, Confirm the Outgoing Trust. Otherwise, click No, Do Not Confirm the Outgoing Trust. Then click Next.
Figure 3.12 The Confirm Outgoing Trust page provides a chance to confirm the other side of the trust.
- The Confirm Incoming Trust page asks whether you want to confirm the incoming trust. Choices are the same as on the previous page. If you want to confirm this trust, enter a username and password for an administrator account in the other domain.
- The Completing the New Trust Wizard page verifies the confirmation of the trust from the other side. Click Finish.
- You are returned to the Trusts tab of the domain's Properties dialog box (see Figure 3.13). The name of the domain with which you configured the trust now appears in one or both of the fields according to the trust type you created. Click OK to close this dialog box.
Figure 3.13 After you have created the trust relationship, the Trusts tab of the domain's Properties dialog box shows the name of the trusted domain together with the trust type and transitivity.
Creating a Forest Trust
Recall that this type of trust can be created only between two Active Directory forests that are both operating at the Windows Server 2003 forest functional level. Follow Step by Step 3.2 to create a forest trust.
Step by Step 3.2 Creating a Forest Trust
- Make sure that the forest functional level of both forests is set to Windows 2003. See Chapter 2, "Planning and Implementing an Active Directory Infrastructure," for details.
- Follow steps 1–5 of Step by Step 3.1 to access the Trust Name page of the New Trust Wizard.
- Type the name of the forest root domain with which you want to create a trust and then click Next.
- On the Trust Type page, select Forest Trust and then click Next.
- On the Direction of Trust page, select the appropriate direction for the trust and then click Next.
- On the Sides of Trust page, specify whether you want to create the trust for this domain only or for both this domain and the specified domain, and then click Next.
- If you are creating the trust for both forests, specify a username and password for the specified forest and then click Next. If you are creating the trust for this forest only, specify the trust password that the administrator in the other forest will need to specify to complete the creation of the trust for her forest. Then click Next.
- The Outgoing Trust Authentication Level—Local Forest page, shown in Figure 3.14, provides two choices that are similar to those provided by the Outgoing Trust Authentication Level—Local Domain page. Make a choice and then click Next.
Figure 3.14 The Outgoing Trust Authentication Level—Local Forest page provides two choices of authentication scope for users in the trusted forest.
- The Trust Selections Complete page displays a list of the options that you have configured (refer to Figure 3.11). Review these settings to ensure that you have made the correct selections. If any setting is incorrect, click Back and correct it. Then click Next.
- The Trust Creation Complete page informs you that the trust relationship was successfully created. Click Next to finish the process.
- The Confirm Outgoing Trust page asks whether you want to confirm the outgoing trust (refer to Figure 3.12). If you have configured the trust from the other side, click Yes, Confirm the Outgoing Trust. Otherwise, click No, Do Not Confirm the Outgoing Trust. Then click Next.
- The Confirm Incoming Trust page asks whether you want to confirm the incoming trust. Choices are the same as on the previous page. If you want to confirm this trust, enter a username and password for an administrator account in the other forest.
- The Completing the New Trust Wizard page verifies the confirmation of the trust from the other side. Click Finish.
- You are returned to the Trusts tab of the domain's Properties dialog box (refer to Figure 3.13). The name of the domain with which you configured the trust now appears in one or both of the fields according to the trust type you created. Click OK to close this dialog box.
Creating a Shortcut Trust
Recall that this type of trust can be created between child domains in the same forest to expedite crossdomain authentication or resource access. Follow Step by Step 3.3 to create a shortcut trust relationship.
Step by Step 3.3 Creating a Shortcut Trust
- In Active Directory Domains and Trusts, right-click your domain and choose Properties.
- On the domain's Properties dialog box, select the Trusts tab and click New Trust to start the New Trust Wizard.
- Click Next, and on the Trust Name and Password page, type the DNS name or NetBIOS name of the domain with which you want to establish a shortcut trust and then click Next.
- On the Direction of Trust page (refer to Figure 3.8), choose the appropriate option (two-way, one-way incoming, or one-way outgoing) and then click Next.
- On the Sides of Trust page, specify whether you want to create the trust for this domain only or for both this domain and the specified domain, and then click Next.
- If you are creating the trust for both domains, specify a username and password for an administrator account in the specified domain. If you are creating the trust for this domain only, specify the trust password that the administrator in the other domain will need to specify to complete the creation of the trust for her domain. Then click Next.
- The Trust Selections Complete page displays a summary of the settings you have entered (refer to Figure 3.11). Click Back if you need to make any changes to these settings. Then click Next to create the trust.
- The Trust Creation Complete page informs you that the trust relationship was successfully created. Click Next to configure the trust.
- The Confirm Outgoing Trust page asks whether you want to confirm the other side of the trust. If you have created both sides of the trust, click Yes. Otherwise, click No and then click Next.
- The Confirm Incoming Trust page asks whether you want to confirm the incoming trust. Choices are the same as on the previous page. If you want to confirm this trust, enter a username and password for an administrator account in the other domain.
- The Completing the New Trust Wizard page informs you that you have created the trust. Click Finish to return to the Trusts tab of the domain's Properties dialog box (refer to Figure 3.13). The name of the domain with which you configured the trust now appears in one or both of the fields according to the trust type you created. Click OK to close this dialog box.
If you have created only one side of the trust, an administrator in the other domain must repeat this procedure to create the trust from her end. She will have to enter the trust password you specified in this procedure.
Managing Trust Relationships
- Objective
-
Manage an Active Directory forest and domain structure
- Manage trust relationships
After you have created a crossforest trust, the following limited set of configuration options is available from the trust's Properties dialog box:
- Validate Trust Relationships—This option enables you to verify that a trust has been properly created and that the forests can communicate with each other.
- Change the Authentication Scope—This option enables you to change the selection of domainwide authentication or selective authentication that you made during creation of the trust, should you need to modify access control to the trusting forest's resources.
- Configure Name Suffix Routing—This option provides a mechanism that you can use to specify how authentication requests are routed across Windows Server 2003 forests. It is available only when forest trusts are used.
Validating Trust Relationships
To access the trust's Properties dialog box and validate a trust relationship, follow Step by Step 3.4.
Step by Step 3.4 Validating a Trust Relationship
- In Active Directory Domains and Trusts, right-click your domain name and choose Properties.
- On the Trusts tab of the domain's Properties dialog box, select the name of the other domain or forest and click Properties.
- This action displays the trust's Properties dialog box, as shown in Figure 3.15.
Figure 3.15 The General tab of the Properties dialog box of the other domain provides information on the trust's properties.
- To validate the trust relationship, click Validate.
- If the trust is in place and active, you receive a confirmation message box, as shown in Figure 3.16. Otherwise, you receive an error message, such as the one in Figure 3.17.
Figure 3.16 This message box informs you that the trust is valid.
Figure 3.17 If the trust cannot be validated, an error message such as this informs you of the problem.
Changing the Authentication Scope
Follow Step by Step 3.5 to change the authentication scope that you set when you create the trust.
Step by Step 3.5 Changing the Authentication Scope of a Trust Relationship
- Select the Authentication tab of the trust's Properties dialog box, as shown in Figure 3.18.
Figure 3.18 The Authentication tab of a trust's Properties dialog box allows you to change the trust's authentication scope.
- Select either Domain-Wide Authentication or Selective Authentication (as already described in Step by Step 3.1) and then click OK.
Configuring Name Suffix Routing
When you initially create a forest trust, all unique name suffixes are routed by default. A unique name suffix is a name suffix within a forest, such as a User Principal Name (UPN) suffix, Service Principal Name (SPN) suffix, or domain name system (DNS) forest or tree name that is not subordinate to any other name suffix. For example, the DNS forest name quepublishing.com is a unique name suffix within the quepublishing.com forest. Consequently, name suffixes in one forest do not exist in another forest.
Name suffix routing is a mechanism that can manage the routing of authentication requests across Windows Server 2003 forests connected by forest trust relationships. It enables name suffixes that do not exist in one forest to be used to route authentication requests to another forest. This includes child name suffixes. As a result, when you view name suffixes in the Name Suffix Routing tab of the domain's Properties dialog box, as shown in Figure 3.19, they are prefixed by * to indicate that they refer to the parent domain and all child domains. If you add new child domains to either forest, they automatically inherit the name suffix routing properties of other domains in the forest. After you add a new name suffix and validate the trust, it appears on the Name Suffixes tab with a status (shown on the Routing column) of Disabled. The Status column indicates New for a newly created name suffix.
Figure 3.19 The Name Suffix Routing tab of a trust's Properties dialog box allows you to enable or disable name suffix routing between forests.
You might have to disable name suffix routing to prevent certain authentication requests from flowing across the forest trust. You might also have to enable name suffix routing for additional name suffixes you have created or to exclude a child name suffix from routing. Follow Step by Step 3.6 to configure these name suffix routing options.
Step by Step 3.6 Configuring Name Suffix Routing
- On the Name Suffix Routing tab of the trust's Properties dialog box, select the suffix whose routing status is to be changed and then click Enable or Disable as required.
- The routing status in the Routing column changes. In the case of enabling a new name suffix routing, the New entry disappears from the Status column.
- To exclude a child name suffix from routing, select the parent suffix and click Edit to display the Edit domain name dialog box (see Figure 3.20).
Figure 3.20 You can exclude a name suffix that does not exist in the specified forest from routing by specifying it on the Edit domain name dialog box.
- To exclude the name suffix, click Add. On the Add Excluded Name Suffix dialog box, type the name of the suffix and then click OK (see Figure 3.21).
Figure 3.21 The Add Excluded Name Suffix dialog box allows you to exclude a name suffix from routing to the specified forest.
- The excluded name suffix appears on the Edit domain name dialog box. Click OK.
Removing a Crossforest Trust Relationship
Sometimes you might need to remove a trust relationship between two forests. For example, a contract might have completed or been terminated, an acquisition of one company by another might have fallen through, and so on. You could have to remove and re-create a trust relationship if you have incorrectly specified properties such as an incorrect trust type or direction.
You can remove a trust relationship from the Active Directory Domains and Trusts snap-in by following Step by Step 3.7.
Step by Step 3.7 Removing a Trust Relationship
- In Active Directory Domains and Trusts, right-click your domain name and choose Properties.
- On the Trusts tab of the domain's Properties dialog box, select the trust to be removed and click Remove.
- You are asked whether you want to remove the trust from the local domain only or from the local domain and the other domain (see Figure 3.22). If you want to remove the trust from both domains, select Yes, Remove the Trust from Both the Local Domain and the Other Domain, type the username and password for an account with administrative privileges in the other domain, and then click OK.
Figure 3.22 You are asked whether you want to remove the trust from the local domain only or from the local domain and the other domain.
- Click Yes on the next dialog box to confirm removing the trust.
- You are returned to the Trust tab of the domain's Properties dialog box. Notice that the name of the other domain has been removed.
Active Directory Federation Services (ADFS)
As introduced in Chapter 1, Active Directory Federation Services (ADFS) is a new feature in Windows Server 2003 R2 that enables you to set up a single signon capability for users accessing multiple web applications within a single session. It enables companies and business partners to collaborate with each other without the need to establish trust relationships and without the need for users in these companies to remember multiple usernames and passwords.
Figure 3.23 provides a simple example. Let's assume that Quepublishing.com is hosting a web application to which users in its own company and partner company Examcram.com need access. Each company operates its own Active Directory forest, but IT directors in both companies do not want to set up a trust relationship similar to those already discussed in this chapter. Therefore, both companies set up a server running Windows Server 2003 R2 with ADFS that allow users in Examcram.com to authenticate to the web server operated by Quepublishing.com with their regular usernames and passwords. The Quepublishing.com ADFS server authenticates a user from Examcram.com and grants access to the web application. As you can see from Figure 3.23, this constitutes a type of trust between the ADFS servers without an external or forest trust between the two forests.
Figure 3.23 ADFS enables users from one company to authenticate to a web application in a second company without the need for a separate username and password.
To deploy ADFS, you must first install Internet Information Services (IIS) together with a Secure Sockets Layer (SSL) certificate on the server that will run ADFS. You can obtain a SSL certificate from a server running Certificate Services, which we introduce in Chapter 5. Then you can install ADFS from the Active Directory Services node of the Windows Components Wizard. This installs a Microsoft Management Console (MMC) snap-in from which you can manage all aspects of ADFS, including trust policies, Active Directory Application Mode (ADAM) account stores, and web applications that users will access through ADFS.
The installation and configuration of ADFS is currently beyond the scope of the 70-294 exam (although this could be subject to change in the future). For further information on the capabilities and usage of ADFS, refer to "Overview of Active Directory Federation Services in Windows Server 2003 R2," in the "Suggested Readings and Resources" section.
Understanding Trust Relationships
Following are points to remember regarding trust relationships:
- In a one-way trust relationship, the trusting domain makes its resources available to users in the trusted domain. A two-way trust relationship consists of two one-way trusts in opposite directions.
- By default in Active Directory, all domains in a forest trust each other with two-way transitive trust relationships. You can also create shortcut trusts between child domains to facilitate rapid authentication and resource access.
- You need to set up all trust relationships between different forests explicitly. You can set up either external one- or two-way trusts between specific domains in the two forests or a forest trust in which all domains in the two forests trust each other with two–way trusts.
- A one-way incoming trust allows users in your (trusted) domain to be authenticated in the other (trusting) domain, whereas a one-way outgoing trust allows users in the other (trusted) domain to be authenticated in your (trusting) domain.
- Two authentication scopes are available: Domainwide authentication allows users from the trusted domain to access all resources in the local domain. Selective authentication does not create any default authentication; you must grant access to each server that users need to access. You can change the authentication scope after trusts are set up, if necessary.
- You can enable name suffix routing that simplifies authentication requests being routed to another forest. New child domains added to either forest automatically inherit these name suffix routing properties; however, you can disable name suffix routing when required or exclude a child name suffix from routing.
- ADFS enables you to set up a type of trust for users to access web applications in another forest without the need for a separate username and password, without establishing a regular forest or external trust relationship.