Understanding Active Directory

Domains and Trusts

W
create a trust relationship between two domains, you can
ith Windows Server 2003 Active Directory
make a link between them that lets authentication
Domains and Trusts structure, you can control
passwords through either from one domain to another or
the information flow, access to resources,
both ways between domains. That way, you can be a user
security, and the type of relationship among different
in one domain and still authenticate to and access resources

AL
domains, domain trees, and domain forests throughout
on another domain. You can also create an Active Directory
your enterprise network environment. This can ease your
replication environment that treats multiple domains as if
administrative burden of large domains and multi-domain
they were one container.

RI
infrastructures, saving time, effort, and expense. When you

TE
Active Directory to create numerous domains for each part of your business
Active Directory is the Microsoft implementation of network that have differences in security and

directory services that allows you to store and search for
any object in your domain or in multiple domains. Active
Directory Services categorizes everything in a domain as
objects. Objects can include users, computers, printers,
servers, file shares, application data, and more. Active
Directory objects can be physical or logical objects. All
objects are stored in a single file in Active Directory that
TE
includes all objects and schema information called ntds.dit.
Every Domain Controller in the domain has an exact copy
of the ntds.dit database as well as a special shared folder
GH
MA
administration. Starting with Windows 2000 Server domains
and continuing with Windows Server 2003, you can create
a single domain and still preserve all the security and trust
functions that required multiple domains using Windows
NT. You can still create multiple domains for security
D
reasons with Windows Server 2003. Other types of
container objects serve the same purpose as the numerous
domains required under Windows NT.
Domain Controllers

called SYSVOL. The SYSVOL folder inhabits an NTDS A domain controller is a specialized role for a Windows
partition and contains information regarding Group Policy Server 2003 server. You can promote your server to a
Objects and login information. domain controller so that it can construct, receive and
RI

replicate a copy of the Active Directory database. Your

Domains domain controller has information about every object in the
You can create a domain as a container for all Active domain, and network users can search it to find people,
PY

Directory objects and isolate them from other parts of computers, and resources on the domain at all times. The
your Enterprise network domain controller also constantly updates its database so
infrastructure. A domain is a that users have the most recent information. Finally, the
CO

security container, an Active domain controller passes along or replicates its most recent
Directory database replication database to other domain
boundary, and controllers as changes occur.
is the basic With Windows NT domains,
container for not all domain controllers
defining DNS were equal. In each domain,
and Internet you had to create a Primary
namespace. With Domain Controller or PDC, which
Windows NT, you held the master copy of the Active
have to use a Directory database. All other
domain to define domain controllers were Backup
any type of control Domain Controllers, or BDCs,
and administrative and each BDC held a copy of
container and you have the database.

4
 Active Directory Domains and Trusts
Trees and Forests
You can create a single domain to make it a complete
Active Directory container capable of providing all the
resources you need for your business to function with no
limitations. You can also create subdomains called child
domains. The first domain you create is called the root or
parent domain. A root or parent domain can have a
namespace such as microsoft.com. A child domain shares
the parent domain namespace contiguously and has a
name such as sales.microsoft.com. A parent domain with
one or more child domains is called a domain tree. One
root domain that has a relationship with another root
domain is called a domain forest. The two root domains
do not have a contiguous namespace and sometimes do
not share the same Windows Server operating system
Active Directory type. For example, you can make the
namespace of two root domains in a domain forest
microsoft.com and wiley.com.
Domain Tree Trusts
You can create a trust between one domain and another,
which means that users can share resources back and forth
between two or more domains as if the resources were all
part of one domain container. When you use Windows NT
domain trusts, you can only configure a one-way,
chapter 1
PART I
nontransitive trust between two NT domains. This means
you can only create a trust where one domain is trusted
and the other domain is trusting. You have to create a
separate trust relationship in the other direction between
the two domains so they can mutually trust each other.
When creating trust, remember that interrelationship does
not guarantee trust. For example, you can create a trust
relationship between Domain A and Domain B, and another
trust between Domain B and Domain C; however, Domain A
and Domain C do not automatically trust each other. You
must create another, separate trust between A and C before
they trust each other. With the introduction of Windows
2000 Server and Windows Server 2003 Active Directory,
you can now create two-way transitive trusts automatically
between different domains in the same domain tree so that
a trust between A and B is automatically two-way. Further,
you have a trust where if B and C trust each other, A and C
automatically trust each other.
Domain Forest Trusts
You can create trust relationships between two unrelated
domain trees, but you cannot automatically create
two-way transitive trust relationships. You must create
forest trust relationships the same way you create domain
trust relationships with Windows NT. Because this is a
relationship between two unrelated domains, you must
carefully create trust relationships with a greater element
of security. You can own both domains, maintain separate
namespaces, and allow one domain to access resources
on a second domain and limit how the second domain
accesses resources on the first. Users on any domain with
two-way transitive trusts can access any other domain in
the forest transparently. A transitive trust is one where
two or more parent domains and their child domains all
trust each other. The trust at the parent level transverses
down to the child domains based on the parent trust.
A transparent trust is one where the user is not aware of
how the trust relationships transverse numerous domains
and domain trees. From their point of view, they can
access a child domain in a different tree as if the resource
existed in their own domain. For more on forest trusts,
see the section “Create a Forest Trust.”
5
 Create a
Forest Trust
Y
You can create the forest trust only if you raise the forest
ou can use Windows Server 2003 Active Directory
functional level of both domain trees to Windows Server
to create a forest trust relationship between two
2003 Mode. The Windows Server operating systems you
separate domains. This allows the two domains to
use on your domain controllers defines the domain tree and
have the same relationship with each other as they do with
forest functional levels or modes and the Active Directory
subdomains within the same domain tree. You can share
features you can use. For more on domain and forest
resources between the two root domains and between
functional levels, see Chapter 2.
subdomains in each of the separate domain trees. For more
on forest trusts, see the section “Understanding Active If you want your Windows Server 2003 domain tree to form
Directory Domains and Trust” earlier in this chapter. a trust relationship with a domain using Windows 2000
Server domains or Windows NT Server domains, you can
You can only create a forest trust relationship between two only create an external trust relationship and cannot create
domains running Windows Server 2003 Active Directory. a true domain forest.

Create a Forest Trust

1 Click Start. 3
2 Click Administrative Tools.
3 Click Active Directory Domains and Trusts.

2 Administrative Tools

1
The Active Directory Domains and Trusts
snap-in appears.
4 Right-click the domain. 4
5 Click Properties.
5

6
 Active Directory Domains and Trusts
The Domain Properties dialog box 6
appears.
6 Click the Trusts tab.
7 Click New Trust
The New Trust Wizard appears.
8 Click Next.
The Trust Type page of the Wizard
appears.
9 Click the Forest trust option
( changes to ).
9
0 Click Next.
On the Domain Properties box Trusts tab,
how many different trusts can I create
there?
You can create as many trust relationships as
you want to serve the needs of your
domain. For example, you can create
independent trust relationships from your
domain to serveral other domains. You can
also create different types of trusts from the
Trusts tab in the Domain Properties box.
You can also limit the number of trusts you
create so that you can track which domain
trees trust other domain trees. If you lose
track of the number and type of trusts you
create, you may find it difficult to
troubleshoot trust problems.
1
chapter
PART I
8
0
When do I select the This domain only
option on the Sides of Trust page of the
New Trust Wizard?
When you click this option ( changes
to ), it only creates one side of a trust
relationship. You can create only one side
of the trust, but you cannot complete the
trust relationship until you create the other
side of the trust. You use this kind of
relationship in situations where you are in
partnership with another domain and the
other domain does not want to release
domain administrator credentials. You and
the other domain administrator must
separately create the sides of the trust and
the trust relationship becomes active.
7
 Create a Forest Trust
(Continued)

Y
ou can custom make a forest trust to meet the
specific needs of your domain and another,
noncontiguous domain. Doing this tightly controls
security access to your domain resources. The trust
relationship between your domain and the other domain
is actually an authentication relationship. You authenticate
onto your domain from a computer by typing your
username and password on the logon screen of the
computer. The nearest domain controller verifies your
credentials and you are then allowed access.
When you create a trust relationship with another domain,
you actually create automatic authentication for your users
from your domain to the other domain and all the
resources it contains. Because you create a trust that is
transparent, your users never notice that they are accessing
resources outside their domain.
You can create trust relationships that are two-way, one-way
incoming, or one-way outgoing. Specific configuration
controls allow you to control the level of access security
you want between the two domains. When you create a
two-way trust, you must have administrator credentials
for the other domain to complete trust creation.
For more on authentication relationships and transparent
trusts, see the section “Understanding Active Directory
Domains and Trusts.”

Create a Forest Trust (continued)

The Direction of Trust page of the Wizard

appears.
! Click the Two-way option ( changes !
to ).

• You can also select a One-way direction. •

Note: For more on creating a one-way trust,
see the section “Create a Shortcut Trust.”
@ Click Next.

The Sides of Trust page of the Wizard

appears.
@
# Click the “Both this domain and the
specified domain” option ( changes
to ).
$ Click Next. #
The User Name and Password page
appears.
% Type the administrator name for the other
domain. %
^
^ Type the administrative password for the $
other domain. &
& Click Next.

8
 Active Directory Domains and Trusts
The Ongoing Trust Authentication Level –
Local Forest page of the Wizard appears.
* Click the Forest-wide authentication option
( changes to ).
( Click Next.
The Ongoing Trust Authentication Level –
Specified Forest page of the Wizard appears.
) Click the Forest-wide authentication option
( changes to ).
q Click Next.
Are all trusts with nonrelated domain
trees such as External and Realm trusts
considered nontransitive trusts?
No. You can create a forest trust between
two domains and you can make your forest
trust transitive, but only if you specify this
as you step through the Create a New
Trust Wizard. This means that the child
domains can share the trust relationship as
long as you create the trust that way. You
can also create an external trust that is not
transitive. Instead, the external trust you
create is bound between just the two
domains and does not invole any of the
child domains.
1
chapter
PART I
*
)
Why do I have to create the
authentication level for both the local
forest and the specified forest?
If you choose to create both sides of the
trust at the same time and have access to
the administrator username and password
for the other domain, you must approve
authentication in both your domain and the
other domain as well. This means that you
must get the administrative authentication
information for the other domain.
Otherwise, you can create only one side of
the trust and need to have the administrator
in the other domain provide authentication
for the two-way trust to be implemented.
9
 Create a Forest Trust
(Continued)

Y
trust in actual use. Using best practice procedures, you
ou can create and verify both the trust selections
should test both sides of the trust inside the Wizard to avoid
and the trust itself in order to construct the
potential problems. You can also use the information you
elements that allow the trust to operate. You can
present in the Wizard to confirm how the trust is
test that trust relationship while you are still using the
configured. You can verify the name of the domains you
Create a New Trust Wizard. You can go back and correct
have set to establish a trust, the direction of the trust, and
any problems you may have introduced to the trust in the
the trust type. You can verify that you have correctly
Wizard and retest the trust before completing the Wizard
created the trust authentication levels for both local and
and activating the trust relationship.
specified domains.
You can also choose to wait until later to verify the trust, or
not verify the trust at all. You can let your users verify the

Create a Forest Trust (continued)

The Trust Selection Complete page of the

Wizard appears.
w Click Next.

w
The Trust Creation Complete page of the
Wizard appears.
e Click Next.

The Confirm Outgoing Trust page of

the Wizard appears.
r Click the Yes, confirm the outgoing
trust option ( changes to ). •r
• You can click No ( changes to )
when you want to delay confirming
trusts until after you create a t
complex trust structure.
t Click Next.
10
 Active Directory Domains and Trusts
The Confirm Incoming Trust page of the
Wizard appears.
y Click the Yes, confirm the incoming trust
option ( changes to ).
• You can click No, do not confirm the
outgoing trust option ( changes to ).
Note: For more on clicking these options, see the
section, “Create a Shortcut Trust.”
u Click Next.
The Completing the New Trust Wizard
appears.
i Click Finish.
Your trust relationship is not complete until
authentication changes are replicated to all
domain controllers in the forest.
Why would I choose to verify only one
side of the trust but not the other?
You can verify only one side of the trust
when the other domain administer wants to
verify the other side. You can also choose
to verify only one side of the trust if you
elect to create only one side of a trust in an
External Trust. The New Trust Wizard offers
you selections that you use when you
create different kinds of trusts. The Confirm
Outgoing Trust and Confirm Incoming Trust
pages of the New Trust Wizard are where
you can verify one, the other, or both sides
of the trust.
1
chapter
PART I
y •
u
On the Completing the New Trust Wizard
page, why do astericks appear before the
domain names listed.
You have created an authentication situation
where anyone in one domain may
authenticate to any resource in another
domain. In Windows Server 2003, one
format used to authenticate to a domain is
username@domain.com. The asterick (*) is a
wildcard symbol that means any username
that appears before the domain name is
considered valid. In other words,
jpyles@test.com can authenticate as well as
maldridge@test.com. This permits any of
your users, computers, or processes on the
test.com domain to automatically access the
trust without a separate logon process to
the other domain.
11
 Create a
Shortcut Trust
Y
parent domain and each of the individual child domains.
ou can create a shortcut trust that enables users
You are not aware of it because you created a trust that is
and processes in one child domain to directly
automatically transitive and transparent. For example, the
access users and resources in a child domain in a
domain called engineers.research.microsoft.com needs to
different branch of the same domain tree without using the
access the domain called programmers.development.
trust relationship structure that goes through the parent
microsoft.com. Each part of the namespace represents part
domain. This allows your users to access processes faster
of the authentication process that your users must traverse.
than when using the traditional two-way transitive trust
You can create a path that allows engineers and
relationship. This is because the traditional relationship
programmers to trust each other as if they were the only
processes users’ resource queries up one branch of the
two domains in the tree.
domain tree, through the root, and down the other branch.
For more on transitive and transparent trusts, see the
When you create a trust, even in the same tree, you are section “Understanding Active Directory Domains and Trust.
really creating an authentication process between the

Create a Shortcut Trust

1 Click Start. 3
2 Click Administrative Tools.
3 Click Active Directory Domains and Trusts.

2 Administrative Tools

1
The Active Directory Domains and Trust
snap-in appears.
4 Right-click the domain name.
4
5 Click Properties.
5
The Domain Properties dialog box opens.
6 Click New Trust.

12
 Active Directory Domains and Trusts
The New Trust Wizard appears.
7 Click Next.
The Trust Name page of the Wizard
appears.
8 In the Name field, type the name of the
other domain.
9 Click Next.
The Sides of Trust page of the Wizard
appears.
0 Click the This domain only option
( changes to ).
! Click Next.
How does the Create a New Trust Wizard
know what kind of trust to create?
The Wizard uses your selections to
determine which types of trusts to offer you.
When you type the name of a child domain
in the Wizard, you indicate the type of trust
you want to create. The Wizard accesses
the Active Directory domain tree topology,
identifies the domain you have indicated
is a child domain and determines that the
only type of trust you can create is a
shortcut trust. If you are not offered the
expected type of trust when you run the
Wizard, you must go back and determine
if you met all the required conditions for
this type of trust.
1
chapter
PART I
7
8 research.test.local
0
On the Trust Name page of the New Trust
Wizard, why must I type the DNS name of
the forest rather than the NetBIOS name?
You can use NetBIOS name resolution inside
of a single domain or domain tree. The
Windows Internet Name Server (WINS) can
provide hostname to address resolution
within the domain. You can use WINS
servers in a single Windows domain to let
hosts locate each other without the use of
Domain Name Services (DNS) servers. Two
or more forests are connected by WAN links
including the Internet and any traffic routed
across Wide Area Networks require DNS
hostname to address resolution. If you do
not use the DNS name of a forest for a
forest trust, your domain will not be able
to find the other domain.
13
 Create a Shortcut Trust
(Continued)

W
shortcut trust is nontransitive and not automatically two-
hen you create a shortcut trust, you can verify
way because you bypasss the two-way transitive features of
your selections. Verifying the selections you
the standard domain tree trust. While it might seem as if
make allows you to construct a correctly
you can restrict access of one domain to the other by
working shortcut trust the first time. By using the built-in
creating a one-way trust, both child domains are still part of
checking features in the New Trust Wizard, you ensure that
the two-way transitive trust created when the domain tree
your users can use the trust and have it behave reliably as
was made. You must configure a password for the trust
soon as you create it.
with this type of trust. The password is independent of the
Although the two domains in the shortcut trust share a administrative password that accesses the parent or any of
contiguous namespace, you create a shortcut trust with the the child domains. The shortcut trust password is unique to
Wizard in the same way you create any external trust. The the specific trust you create.

Create a Shortcut Trust (continued)

The Trust Password page of the Wizard

appears.
@ Type the trust password.
# Type the trust password again in the @
Confirm trust password field.
#
$ Click Next.
$
The Trust Selections Complete page of
the Wizard appears.
% Review the information.
^ Click Next. %

The Trust Creation Complete page

appears.
& Review the information.
* Click Next. &

14
 Active Directory Domains and Trusts
The Confirm Outgoing Trust page
appears.
( Click the No, do not confirm the
outgoing trust option ( changes to ).
• You can also click the “Yes, confirm
the outgoing trust” option
( changes to ).
Note: For more on this option, see the section
“Create a Forest Trust.”
) Click Next.
The Confirm Incoming Trust page
appears.
q Click the No, do not confirm the
incoming trust option ( changes to ).
w Click Next.
Completing the New Trust Wizard page
appears.
e Click Finish.
Windows Server 2003 creates the
shortcut trust.
When I create a shortcut trust between
two child domains in the same domain
tree, why do I have issues with security?
You do not create a shortcut trust to
increase the level of security between two
child domains in the same tree. While it
is true that you do not have to create a
two-way trust automatically between the
two child domains using the shortcut trust,
the primary purpose of the trust is to
create a direct authentication link between
two child domains that frequently access
resources between their two domains.
Even if you created a one-way shortcut
trust, they still have a two-way transitive
trust relationship because they belong
to the same tree.
1
chapter
PART I
(
•
)
q
w
e
Why does Active Directory periodically
change the shortcut trust password
for me?
You can manage trust security manually by
periodically changing the shortcut trust
password, but Active Directory offers to do
this task for you to ease your burden of
administration. Active Directory has a similar
feature where you specify the password
account features for domain users. You can
configure password accounts to
automatically force users to change
passwords at certain periods, enforce a high
level of complexity in passwords and
prevent users from using the same password
too often. For more on configuring
password accounts for domain users, and
creating a user, see Chapter 5.
15
 Validate
a Trust
Y
You can also determine if a trust relationship, which was
ou can validate a trust after you initially create it to
previously working, is no longer functioning properly. You
verify that the trust relationship functions properly
first check the network connections between network
or to diagnose a potential problem with the trust.
subnets and separate network infrastructures to make sure
You can use this simple method to establish the usability of
that your domain controllers are all communicating. You
a trust relationship between domains within the same tree
then can investigate the trust relationship. Please note that
or domains in two separate forests. Trusts are very
you can use the validate a trust feature as the first step in
complicated relationships and if you do not construct them
solving a trust problem, but that function cannot repair
carefully, you can have a nonworking trust.
any problem you find. Although the cause of a trust
There are times when you may create a trust between two relationship problem can be widely varied, you can go back
domain trees in a forest or two separate domain forests and and verify that all of the prerequisite conditions for creating
you decide not to validate the trust relationship. When you the trust have been met.
validate a trust between two domains, you are verifying the
authentication set up between the domains.

Validate a Trust

1 Click Start. 3
2 Click Administrative Tools.
3 Click Active Directory Domains and Trusts.

2 Administrative Tools

1
The Active Directory Domains and Trusts
snap-in appears.
4 6 7
4 Right-click the domain name. development.willis.local Child Yes

5 Click Properties.
5
The Domain Properties dialog box appears.
6 Click the trust you want to validate.
7 Click Properties.

16
 Active Directory Domains and Trusts chapter 1

PART I
The Trust Properties dialog box appears.
8 Click Validate.
willis.local

The Active Directory authentication dialog box

appears.
9 Click the Yes, validate the incoming trust
option ( changes to ). 9
0 In the User name field, type the administrator
0
logon name.
!
! In the Password field, type the administrative @
password.
@ Click OK.
A trust validation message appears.
# Click OK. #
The trust relationship is verified.

Can I verify both sides of a trust relationship at
the same time?
No. You can use the Domain Properties dialog box to
choose either the incoming or the outgoing trust and
then verify that trust. You cannot select both trust
relationships at the same time. You can verify one
trust direction and the other trust direction, one after
the other, while the Active Directory Domains and
Trusts snap-in is open. You can also verify different
sides of a trust at different times. For example, if you
create a trust that users primarily access in one
direction and not the other, you can verify only that
one direction. If you want to later use the other
direction, you can verify it then.
Do I have to have administrative privileges
for the other domain in the trust to verify my
outgoing trust?
No. You can verify the outgoing trust from your
domain because you already are authenticated.
You only need the credentials of other domain
administrators to access their domains and to
verify the incoming trusts from them to you. When
you verify your outgoing trust, a message appears
asking if you also want to verify the incoming
trust. You can verify the incoming trust, but you
have to verify the outgoing trust in a separate
request.

17
 Change Authentication
Scope of a Trust
Y
authentication, which is the preference for situations where
ou can construct or change a trust relationship
both domain forests belong to the same organization. For
between your domain and another domain entity so
example, Cisco owns Linksys, although both organizations
that the relationship is no longer domain-wide. Doing
maintain their own domain namespace. Cisco and Linksys
so restricts access to secure resources to the other domain. You
benefit from having a forest trust.
can designate a few users, or just one group or department,
the authority to authenticate with the other domain through You can choose Selective authentication when you want to
the trust relationship so that most users on your domain create a forest trust between two completely separate and
cannot access resources on the other domain forest. independently owned organizations. With this option, you
can preserve the security of each organization. You can
You can only choose two different forest trust have control of exactly which types of resources on your
authentication types. You can choose Forest-wide domain you allow the other domain to access.

Change Authentication Scope of a Trust

1 Click Start. 3
2 Click Administrative Tools.
3 Click Active Directory Domains and Trusts.

2 Administrative Tools

1
The Active Directory Domains and Trusts
snap-in appears.
4 Right-click the domain name. 4
5 Click Properties. 5

18
 Active Directory Domains and Trusts
The Domain Properties dialog box
appears.
6 Click the trust you want to change.
test.local
7 Click Properties.
The Trust Properties dialog box appears.
8 Click the Authentication tab.
9 Click the Selective authentication option
( changes to ).
0 Click Apply.
! Click OK.
The Authentication Scope is now
changed.
How do I ensure that the specific users or
groups designated to access the other
domain forest can authenticate that
forest?
You can provide the specific authentication
logon name and password only to those
groups you want to have access. In order to
do this, you must add the users or groups
to the Access Control Lists (ACLs) of the
services or resources you want them to
access. When any of your domain users
attempt to access the shares in the other
domain forest, instead of automatically
being authenticated, they see a logon
screen. Users without access do not know
the proper username and password to log
on to the other domain forest through the
Selective Authentication.
chapter1
PART I
7
External No
8
9
0
What if I want two different groups in my
domain to only have access to separate
resources in the other domain forest.
You can give both groups access to the
selective authentication username and
password credentials for the other forest
domain shares. In the Properties box for
the resources you want a particular user or
group to access, you must add that user
or group to the Access Control List and set
the permission level you want them to
have. You can then set the access control
lists for the separate shares so that only
one selected group from your domain has
any access to that share using the access
control lists for each share in the other
forest. For more on access permissions,
see Chapter 11.
19