Docstoc

active directory

Document Sample
active directory Powered By Docstoc
					                                                             Active Directory Domains and Trusts                  chapter      1




                                                                                                                               PART I
Trees and Forests                                               nontransitive trust between two NT domains. This means
You can create a single domain to make it a complete            you can only create a trust where one domain is trusted
Active Directory container capable of providing all the         and the other domain is trusting. You have to create a
resources you need for your business to function with no        separate trust relationship in the other direction between
limitations. You can also create subdomains called child        the two domains so they can mutually trust each other.
domains. The first domain you create is called the root or      When creating trust, remember that interrelationship does
parent domain. A root or parent domain can have a               not guarantee trust. For example, you can create a trust
namespace such as microsoft.com. A child domain shares          relationship between Domain A and Domain B, and another
the parent domain namespace contiguously and has a              trust between Domain B and Domain C; however, Domain A
name such as sales.microsoft.com. A parent domain with          and Domain C do not automatically trust each other. You
one or more child domains is called a domain tree. One          must create another, separate trust between A and C before
root domain that has a relationship with another root           they trust each other. With the introduction of Windows
domain is called a domain forest. The two root domains          2000 Server and Windows Server 2003 Active Directory,
do not have a contiguous namespace and sometimes do             you can now create two-way transitive trusts automatically
not share the same Windows Server operating system              between different domains in the same domain tree so that
Active Directory type. For example, you can make the            a trust between A and B is automatically two-way. Further,
namespace of two root domains in a domain forest                you have a trust where if B and C trust each other, A and C
microsoft.com and wiley.com.                                    automatically trust each other.

                                                                Domain Forest Trusts
                                                                You can create trust relationships between two unrelated
                                                                domain trees, but you cannot automatically create
                                                                two-way transitive trust relationships. You must create
                                                                forest trust relationships the same way you create domain
                                                                trust relationships with Windows NT. Because this is a
                                                                relationship between two unrelated domains, you must
                                                                carefully create trust relationships with a greater element
                                                                of security. You can own both domains, maintain separate
                                                                namespaces, and allow one domain to access resources
                                                                on a second domain and limit how the second domain
                                                                accesses resources on the first. Users on any domain with
                                                                two-way transitive trusts can access any other domain in
                                                                the forest transparently. A transitive trust is one where
                                                                two or more parent domains and their child domains all
                                                                trust each other. The trust at the parent level transverses
                                                                down to the child domains based on the parent trust.
Domain Tree Trusts                                              A transparent trust is one where the user is not aware of
You can create a trust between one domain and another,          how the trust relationships transverse numerous domains
which means that users can share resources back and forth       and domain trees. From their point of view, they can
between two or more domains as if the resources were all        access a child domain in a different tree as if the resource
part of one domain container. When you use Windows NT           existed in their own domain. For more on forest trusts,
domain trusts, you can only configure a one-way,                see the section “Create a Forest Trust.”




                                                                                                                                5
    Create a
    Forest Trust
    Y
                                                                      You can create the forest trust only if you raise the forest
             ou can use Windows Server 2003 Active Directory
                                                                      functional level of both domain trees to Windows Server
             to create a forest trust relationship between two
                                                                      2003 Mode. The Windows Server operating systems you
             separate domains. This allows the two domains to
                                                                      use on your domain controllers defines the domain tree and
    have the same relationship with each other as they do with
                                                                      forest functional levels or modes and the Active Directory
    subdomains within the same domain tree. You can share
                                                                      features you can use. For more on domain and forest
    resources between the two root domains and between
                                                                      functional levels, see Chapter 2.
    subdomains in each of the separate domain trees. For more
    on forest trusts, see the section “Understanding Active           If you want your Windows Server 2003 domain tree to form
    Directory Domains and Trust” earlier in this chapter.             a trust relationship with a domain using Windows 2000
                                                                      Server domains or Windows NT Server domains, you can
    You can only create a forest trust relationship between two       only create an external trust relationship and cannot create
    domains running Windows Server 2003 Active Directory.             a true domain forest.


        Create a Forest Trust


    1   Click Start.                                                                                   3
    2   Click Administrative Tools.
    3   Click Active Directory Domains and Trusts.


                                                                                  2          Administrative Tools




                                                              1
        The Active Directory Domains and Trusts
        snap-in appears.
    4   Right-click the domain.                                   4
    5   Click Properties.
                                                                        5




6
                                                             Active Directory Domains and Trusts                           1
                                                                                                                     chapter




                                                                                                                               PART I
    The Domain Properties dialog box                6
    appears.
6   Click the Trusts tab.
7   Click New Trust

    The New Trust Wizard appears.
8   Click Next.

                                                  7




    The Trust Type page of the Wizard
    appears.                                                                                                         8
9   Click the Forest trust option
    ( changes to ).
                                                  9
0   Click Next.
                                                                                   0




                  On the Domain Properties box Trusts tab,             When do I select the This domain only
                  how many different trusts can I create               option on the Sides of Trust page of the
                  there?                                               New Trust Wizard?
                      You can create as many trust relationships as       When you click this option (      changes
                      you want to serve the needs of your                 to    ), it only creates one side of a trust
                      domain. For example, you can create                 relationship. You can create only one side
                      independent trust relationships from your           of the trust, but you cannot complete the
                      domain to serveral other domains. You can           trust relationship until you create the other
                      also create different types of trusts from the      side of the trust. You use this kind of
                      Trusts tab in the Domain Properties box.            relationship in situations where you are in
                      You can also limit the number of trusts you         partnership with another domain and the
                      create so that you can track which domain           other domain does not want to release
                      trees trust other domain trees. If you lose         domain administrator credentials. You and
                      track of the number and type of trusts you          the other domain administrator must
                      create, you may find it difficult to                separately create the sides of the trust and
                      troubleshoot trust problems.                        the trust relationship becomes active.




                                                                                                                               7
    Create a Forest Trust
    (Continued)

    Y
                                                                   from your domain to the other domain and all the
              ou can custom make a forest trust to meet the
                                                                   resources it contains. Because you create a trust that is
              specific needs of your domain and another,
                                                                   transparent, your users never notice that they are accessing
              noncontiguous domain. Doing this tightly controls
                                                                   resources outside their domain.
    security access to your domain resources. The trust
    relationship between your domain and the other domain          You can create trust relationships that are two-way, one-way
    is actually an authentication relationship. You authenticate   incoming, or one-way outgoing. Specific configuration
    onto your domain from a computer by typing your                controls allow you to control the level of access security
    username and password on the logon screen of the               you want between the two domains. When you create a
    computer. The nearest domain controller verifies your          two-way trust, you must have administrator credentials
    credentials and you are then allowed access.                   for the other domain to complete trust creation.
                                                                   For more on authentication relationships and transparent
    When you create a trust relationship with another domain,
                                                                   trusts, see the section “Understanding Active Directory
    you actually create automatic authentication for your users
                                                                   Domains and Trusts.”



        Create a Forest Trust (continued)

        The Direction of Trust page of the Wizard
        appears.
    !   Click the Two-way option (       changes         !
        to ).

        •   You can also select a One-way direction.     •
    Note: For more on creating a one-way trust,
            see the section “Create a Shortcut Trust.”
    @   Click Next.

        The Sides of Trust page of the Wizard
        appears.
                                                                                    @
    #   Click the “Both this domain and the
        specified domain” option ( changes
        to ).
    $   Click Next.                                                                  #
        The User Name and Password page
        appears.
    %   Type the administrator name for the other
        domain.                                                                          %
                                                                                          ^
    ^   Type the administrative password for the                                                                     $
        other domain.                                                         &
    &   Click Next.

8
                                                             Active Directory Domains and Trusts                       1
                                                                                                                 chapter




                                                                                                                           PART I
    The Ongoing Trust Authentication Level –
    Local Forest page of the Wizard appears.
*   Click the Forest-wide authentication option
    ( changes to ).
                                                                       *
(   Click Next.




                                                                                                             (



    The Ongoing Trust Authentication Level –
    Specified Forest page of the Wizard appears.
)   Click the Forest-wide authentication option
    ( changes to ).                                                    )
q   Click Next.




                                                                                                             q




             Are all trusts with nonrelated domain                 Why do I have to create the
             trees such as External and Realm trusts               authentication level for both the local
             considered nontransitive trusts?                      forest and the specified forest?
                  No. You can create a forest trust between           If you choose to create both sides of the
                  two domains and you can make your forest            trust at the same time and have access to
                  trust transitive, but only if you specify this      the administrator username and password
                  as you step through the Create a New                for the other domain, you must approve
                  Trust Wizard. This means that the child             authentication in both your domain and the
                  domains can share the trust relationship as         other domain as well. This means that you
                  long as you create the trust that way. You          must get the administrative authentication
                  can also create an external trust that is not       information for the other domain.
                  transitive. Instead, the external trust you         Otherwise, you can create only one side of
                  create is bound between just the two                the trust and need to have the administrator
                  domains and does not invole any of the              in the other domain provide authentication
                  child domains.                                      for the two-way trust to be implemented.




                                                                                                                           9
     Create a Forest Trust
     (Continued)

     Y
                                                                       trust in actual use. Using best practice procedures, you
              ou can create and verify both the trust selections
                                                                       should test both sides of the trust inside the Wizard to avoid
              and the trust itself in order to construct the
                                                                       potential problems. You can also use the information you
              elements that allow the trust to operate. You can
                                                                       present in the Wizard to confirm how the trust is
     test that trust relationship while you are still using the
                                                                       configured. You can verify the name of the domains you
     Create a New Trust Wizard. You can go back and correct
                                                                       have set to establish a trust, the direction of the trust, and
     any problems you may have introduced to the trust in the
                                                                       the trust type. You can verify that you have correctly
     Wizard and retest the trust before completing the Wizard
                                                                       created the trust authentication levels for both local and
     and activating the trust relationship.
                                                                       specified domains.
     You can also choose to wait until later to verify the trust, or
     not verify the trust at all. You can let your users verify the




         Create a Forest Trust (continued)

         The Trust Selection Complete page of the
         Wizard appears.
     w   Click Next.




                                                                                   w
         The Trust Creation Complete page of the
         Wizard appears.
     e   Click Next.




                                                                                                                          e

         The Confirm Outgoing Trust page of
         the Wizard appears.
     r   Click the Yes, confirm the outgoing
         trust option ( changes to ).                                        •r
         •   You can click No ( changes to )
             when you want to delay confirming
             trusts until after you create a                                       t
             complex trust structure.
     t   Click Next.
10
                                                              Active Directory Domains and Trusts                        1
                                                                                                                   chapter




                                                                                                                             PART I
    The Confirm Incoming Trust page of the
    Wizard appears.
y   Click the Yes, confirm the incoming trust
    option ( changes to ).
                                                                         y                              •
    •   You can click No, do not confirm the
        outgoing trust option ( changes to          ).
Note: For more on clicking these options, see the
        section, “Create a Shortcut Trust.”
u   Click Next.                                                                                                u



    The Completing the New Trust Wizard
    appears.
i   Click Finish.
    Your trust relationship is not complete until
    authentication changes are replicated to all
    domain controllers in the forest.



                                                                                                               i




                Why would I choose to verify only one                On the Completing the New Trust Wizard
                side of the trust but not the other?                 page, why do astericks appear before the
                    You can verify only one side of the trust        domain names listed.
                    when the other domain administer wants to           You have created an authentication situation
                    verify the other side. You can also choose          where anyone in one domain may
                    to verify only one side of the trust if you         authenticate to any resource in another
                    elect to create only one side of a trust in an      domain. In Windows Server 2003, one
                    External Trust. The New Trust Wizard offers         format used to authenticate to a domain is
                    you selections that you use when you                username@domain.com. The asterick (*) is a
                    create different kinds of trusts. The Confirm       wildcard symbol that means any username
                    Outgoing Trust and Confirm Incoming Trust           that appears before the domain name is
                    pages of the New Trust Wizard are where             considered valid. In other words,
                    you can verify one, the other, or both sides        jpyles@test.com can authenticate as well as
                    of the trust.                                       maldridge@test.com. This permits any of
                                                                        your users, computers, or processes on the
                                                                        test.com domain to automatically access the
                                                                        trust without a separate logon process to
                                                                        the other domain.


                                                                                                                             11
     Create a
     Shortcut Trust
     Y
                                                                   parent domain and each of the individual child domains.
               ou can create a shortcut trust that enables users
                                                                   You are not aware of it because you created a trust that is
               and processes in one child domain to directly
                                                                   automatically transitive and transparent. For example, the
               access users and resources in a child domain in a
                                                                   domain called engineers.research.microsoft.com needs to
     different branch of the same domain tree without using the
                                                                   access the domain called programmers.development.
     trust relationship structure that goes through the parent
                                                                   microsoft.com. Each part of the namespace represents part
     domain. This allows your users to access processes faster
                                                                   of the authentication process that your users must traverse.
     than when using the traditional two-way transitive trust
                                                                   You can create a path that allows engineers and
     relationship. This is because the traditional relationship
                                                                   programmers to trust each other as if they were the only
     processes users’ resource queries up one branch of the
                                                                   two domains in the tree.
     domain tree, through the root, and down the other branch.
                                                                   For more on transitive and transparent trusts, see the
     When you create a trust, even in the same tree, you are       section “Understanding Active Directory Domains and Trust.
     really creating an authentication process between the




         Create a Shortcut Trust


     1   Click Start.                                                                    3
     2   Click Administrative Tools.
     3   Click Active Directory Domains and Trusts.

                                                                         2         Administrative Tools




                                                               1
         The Active Directory Domains and Trust
         snap-in appears.
     4   Right-click the domain name.
                                                               4
     5   Click Properties.
                                                                   5
         The Domain Properties dialog box opens.
     6   Click New Trust.


                                                                                                      6

12
                                                            Active Directory Domains and Trusts                            1
                                                                                                                     chapter




                                                                                                                               PART I
    The New Trust Wizard appears.
7   Click Next.




                                                                          7
    The Trust Name page of the Wizard
    appears.
8   In the Name field, type the name of the
    other domain.
9   Click Next.                                                                 8        research.test.local




                                                                                                                 9

    The Sides of Trust page of the Wizard
    appears.
0   Click the This domain only option
    ( changes to ).
                                                                   0
!   Click Next.

                                                                           !




             How does the Create a New Trust Wizard               On the Trust Name page of the New Trust
             know what kind of trust to create?                   Wizard, why must I type the DNS name of
                  The Wizard uses your selections to              the forest rather than the NetBIOS name?
                  determine which types of trusts to offer you.      You can use NetBIOS name resolution inside
                  When you type the name of a child domain           of a single domain or domain tree. The
                  in the Wizard, you indicate the type of trust      Windows Internet Name Server (WINS) can
                  you want to create. The Wizard accesses            provide hostname to address resolution
                  the Active Directory domain tree topology,         within the domain. You can use WINS
                  identifies the domain you have indicated           servers in a single Windows domain to let
                  is a child domain and determines that the          hosts locate each other without the use of
                  only type of trust you can create is a             Domain Name Services (DNS) servers. Two
                  shortcut trust. If you are not offered the         or more forests are connected by WAN links
                  expected type of trust when you run the            including the Internet and any traffic routed
                  Wizard, you must go back and determine             across Wide Area Networks require DNS
                  if you met all the required conditions for         hostname to address resolution. If you do
                  this type of trust.                                not use the DNS name of a forest for a
                                                                     forest trust, your domain will not be able
                                                                     to find the other domain.




                                                                                                                               13
     Create a Shortcut Trust
     (Continued)

     W
                                                                    shortcut trust is nontransitive and not automatically two-
                 hen you create a shortcut trust, you can verify
                                                                    way because you bypasss the two-way transitive features of
                 your selections. Verifying the selections you
                                                                    the standard domain tree trust. While it might seem as if
                 make allows you to construct a correctly
                                                                    you can restrict access of one domain to the other by
     working shortcut trust the first time. By using the built-in
                                                                    creating a one-way trust, both child domains are still part of
     checking features in the New Trust Wizard, you ensure that
                                                                    the two-way transitive trust created when the domain tree
     your users can use the trust and have it behave reliably as
                                                                    was made. You must configure a password for the trust
     soon as you create it.
                                                                    with this type of trust. The password is independent of the
     Although the two domains in the shortcut trust share a         administrative password that accesses the parent or any of
     contiguous namespace, you create a shortcut trust with the     the child domains. The shortcut trust password is unique to
     Wizard in the same way you create any external trust. The      the specific trust you create.




         Create a Shortcut Trust (continued)

         The Trust Password page of the Wizard
         appears.
     @   Type the trust password.
     #   Type the trust password again in the                                    @
         Confirm trust password field.
                                                                                 #
     $   Click Next.
                                                                                $
         The Trust Selections Complete page of
         the Wizard appears.
     %   Review the information.
     ^   Click Next.                                                                   %

                                                                                                                        ^

         The Trust Creation Complete page
         appears.
     &   Review the information.
     *   Click Next.                                                                         &

                                                                                *


14
                                                            Active Directory Domains and Trusts                         1
                                                                                                                  chapter




                                                                                                                            PART I
    The Confirm Outgoing Trust page
    appears.
(   Click the No, do not confirm the                                     (
    outgoing trust option ( changes to           ).                  •
    •   You can also click the “Yes, confirm
        the outgoing trust” option
        ( changes to ).                                                   )
Note: For more on this option, see the section
        “Create a Forest Trust.”
)   Click Next.                                                                  q
    The Confirm Incoming Trust page
    appears.
q   Click the No, do not confirm the                                                                              w
    incoming trust option ( changes to           ).
w   Click Next.
    Completing the New Trust Wizard page
    appears.
e   Click Finish.
    Windows Server 2003 creates the
    shortcut trust.
                                                                          e




               When I create a shortcut trust between             Why does Active Directory periodically
               two child domains in the same domain               change the shortcut trust password
               tree, why do I have issues with security?          for me?
                    You do not create a shortcut trust to            You can manage trust security manually by
                    increase the level of security between two       periodically changing the shortcut trust
                    child domains in the same tree. While it         password, but Active Directory offers to do
                    is true that you do not have to create a         this task for you to ease your burden of
                    two-way trust automatically between the          administration. Active Directory has a similar
                    two child domains using the shortcut trust,      feature where you specify the password
                    the primary purpose of the trust is to           account features for domain users. You can
                    create a direct authentication link between      configure password accounts to
                    two child domains that frequently access         automatically force users to change
                    resources between their two domains.             passwords at certain periods, enforce a high
                    Even if you created a one-way shortcut           level of complexity in passwords and
                    trust, they still have a two-way transitive      prevent users from using the same password
                    trust relationship because they belong           too often. For more on configuring
                    to the same tree.                                password accounts for domain users, and
                                                                     creating a user, see Chapter 5.



                                                                                                                            15
     Validate
     a Trust
     Y
                                                                          You can also determine if a trust relationship, which was
               ou can validate a trust after you initially create it to
                                                                          previously working, is no longer functioning properly. You
               verify that the trust relationship functions properly
                                                                          first check the network connections between network
               or to diagnose a potential problem with the trust.
                                                                          subnets and separate network infrastructures to make sure
     You can use this simple method to establish the usability of
                                                                          that your domain controllers are all communicating. You
     a trust relationship between domains within the same tree
                                                                          then can investigate the trust relationship. Please note that
     or domains in two separate forests. Trusts are very
                                                                          you can use the validate a trust feature as the first step in
     complicated relationships and if you do not construct them
                                                                          solving a trust problem, but that function cannot repair
     carefully, you can have a nonworking trust.
                                                                          any problem you find. Although the cause of a trust
     There are times when you may create a trust between two              relationship problem can be widely varied, you can go back
     domain trees in a forest or two separate domain forests and          and verify that all of the prerequisite conditions for creating
     you decide not to validate the trust relationship. When you          the trust have been met.
     validate a trust between two domains, you are verifying the
     authentication set up between the domains.



         Validate a Trust


     1   Click Start.                                                                      3
     2   Click Administrative Tools.
     3   Click Active Directory Domains and Trusts.

                                                                          2          Administrative Tools




                                                            1
         The Active Directory Domains and Trusts
         snap-in appears.
                                                             4                                              6                                            7
     4   Right-click the domain name.                                                                           development.willis.local   Child   Yes




     5   Click Properties.
                                                                     5
         The Domain Properties dialog box appears.
     6   Click the trust you want to validate.
     7   Click Properties.



16
                                                              Active Directory Domains and Trusts                 chapter 1




                                                                                                                            PART I
    The Trust Properties dialog box appears.
8   Click Validate.
                                                                                           willis.local




                                                                                                                      8




    The Active Directory authentication dialog box
    appears.
9   Click the Yes, validate the incoming trust
    option ( changes to ).                                                                                    9
0   In the User name field, type the administrator
                                                                                       0
    logon name.
                                                                                                                      !
!   In the Password field, type the administrative                                                        @
    password.
@   Click OK.
    A trust validation message appears.
#   Click OK.                                                                      #
    The trust relationship is verified.




    Can I verify both sides of a trust relationship at             Do I have to have administrative privileges
    the same time?                                                 for the other domain in the trust to verify my
        No. You can use the Domain Properties dialog box to        outgoing trust?
        choose either the incoming or the outgoing trust and          No. You can verify the outgoing trust from your
        then verify that trust. You cannot select both trust          domain because you already are authenticated.
        relationships at the same time. You can verify one            You only need the credentials of other domain
        trust direction and the other trust direction, one after      administrators to access their domains and to
        the other, while the Active Directory Domains and             verify the incoming trusts from them to you. When
        Trusts snap-in is open. You can also verify different         you verify your outgoing trust, a message appears
        sides of a trust at different times. For example, if you      asking if you also want to verify the incoming
        create a trust that users primarily access in one             trust. You can verify the incoming trust, but you
        direction and not the other, you can verify only that         have to verify the outgoing trust in a separate
        one direction. If you want to later use the other             request.
        direction, you can verify it then.

                                                                                                                            17
     Change Authentication
     Scope of a Trust
     Y
                                                                        authentication, which is the preference for situations where
               ou can construct or change a trust relationship
                                                                        both domain forests belong to the same organization. For
               between your domain and another domain entity so
                                                                        example, Cisco owns Linksys, although both organizations
               that the relationship is no longer domain-wide. Doing
                                                                        maintain their own domain namespace. Cisco and Linksys
     so restricts access to secure resources to the other domain. You
                                                                        benefit from having a forest trust.
     can designate a few users, or just one group or department,
     the authority to authenticate with the other domain through        You can choose Selective authentication when you want to
     the trust relationship so that most users on your domain           create a forest trust between two completely separate and
     cannot access resources on the other domain forest.                independently owned organizations. With this option, you
                                                                        can preserve the security of each organization. You can
     You can only choose two different forest trust                     have control of exactly which types of resources on your
     authentication types. You can choose Forest-wide                   domain you allow the other domain to access.




         Change Authentication Scope of a Trust


     1   Click Start.                                                                                    3
     2   Click Administrative Tools.
     3   Click Active Directory Domains and Trusts.


                                                                                    2          Administrative Tools




                                                                   1
         The Active Directory Domains and Trusts
         snap-in appears.
     4   Right-click the domain name.                               4
     5   Click Properties.                                                5



18
                                                                Active Directory Domains and Trusts                         chapter1




                                                                                                                                      PART I
    The Domain Properties dialog box
    appears.
6   Click the trust you want to change.                                                         7
                                                   test.local      External   No

7   Click Properties.

                                                                  6




    The Trust Properties dialog box appears.                                                                     8
8   Click the Authentication tab.
9   Click the Selective authentication option
    ( changes to ).
0   Click Apply.                                                                        9
!   Click OK.
    The Authentication Scope is now
    changed.
                                                                                                                               0

                                                                                                     !



                How do I ensure that the specific users or             What if I want two different groups in my
                groups designated to access the other                  domain to only have access to separate
                domain forest can authenticate that                    resources in the other domain forest.
                forest?                                                       You can give both groups access to the
                   You can provide the specific authentication                selective authentication username and
                   logon name and password only to those                      password credentials for the other forest
                   groups you want to have access. In order to                domain shares. In the Properties box for
                   do this, you must add the users or groups                  the resources you want a particular user or
                   to the Access Control Lists (ACLs) of the                  group to access, you must add that user
                   services or resources you want them to                     or group to the Access Control List and set
                   access. When any of your domain users                      the permission level you want them to
                   attempt to access the shares in the other                  have. You can then set the access control
                   domain forest, instead of automatically                    lists for the separate shares so that only
                   being authenticated, they see a logon                      one selected group from your domain has
                   screen. Users without access do not know                   any access to that share using the access
                   the proper username and password to log                    control lists for each share in the other
                   on to the other domain forest through the                  forest. For more on access permissions,
                   Selective Authentication.                                  see Chapter 11.



                                                                                                                                      19

				
DOCUMENT INFO
Shared By:
Stats:
views:46
posted:7/11/2011
language:English
pages:15