With Windows Server 2003 Active Directory

Understanding Active Directory

Domains and Trusts

Active Directory

Active Directory is the Microsoft implementation of directory services that allows you to store and search for any object in your domain or in multiple domains. Active Directory Services categorizes everything in a domain as objects. Objects can include users, computers, printers, servers, file shares, application data, and more. Active Directory objects can be physical or logical objects. All objects are stored in a single file in Active Directory that includes all objects and schema information called ntds.dit. Every Domain Controller in the domain has an exact copy of the ntds.dit database as well as a special shared folder called SYSVOL. The SYSVOL folder inhabits an NTDS partition and contains information regarding Group Policy Objects and login information.

Domains

You can create a domain as a container for all Active Directory objects and isolate them from other parts of your Enterprise network

infrastructure. A domain is a security container, an Active Directory database replication boundary, and is the basic container for defining DNS and Internet namespace. With Windows NT, you have to use a domain to define any type of control and administrative container and you have

to create numerous domains for each part of your business network that have differences in security and

administration. Starting with Windows 2000 Server domains and continuing with Windows Server 2003, you can create a single domain and still preserve all the security and trust functions that required multiple domains using Windows NT. You can still create multiple domains for security reasons with Windows Server 2003. Other types of container objects serve the same purpose as the numerous domains required under Windows NT.

Domain Controllers

A domain controller is a specialized role for a Windows Server 2003 server. You can promote your server to a domain controller so that it can construct, receive and replicate a copy of the Active Directory database. Your domain controller has information about every object in the domain, and network users can search it to find people, computers, and resources on the domain at all times. The domain controller also constantly updates its database so that users have the most recent information. Finally, the domain controller passes along or replicates its most recent database to other domain

controllers as changes occur. With Windows NT domains, not all domain controllers were equal. In each domain, you had to create a Primary Domain Controller or PDC, which held the master copy of the Active Directory database. All other domain controllers were Backup Domain Controllers, or BDCs, and each BDC held a copy of the database.

W

ith Windows Server 2003 Active Directory Domains and Trusts structure, you can control the information flow, access to resources, security, and the type of relationship among different domains, domain trees, and domain forests throughout your enterprise network environment. This can ease your administrative burden of large domains and multi-domain infrastructures, saving time, effort, and expense. When you

create a trust relationship between two domains, you can make a link between them that lets authentication passwords through either from one domain to another or both ways between domains. That way, you can be a user in one domain and still authenticate to and access resources on another domain. You can also create an Active Directory replication environment that treats multiple domains as if they were one container.

Trees and Forests

You can create a single domain to make it a complete Active Directory container capable of providing all the resources you need for your business to function with no limitations. You can also create subdomains called child

domains. The first domain you create is called the root or parent domain. A root or parent domain can have a

namespace such as microsoft.com. A child domain shares the parent domain namespace contiguously and has a name such as sales.microsoft.com. A parent domain with one or more child domains is called a domain tree. One root domain that has a relationship with another root domain is called a domain forest. The two root domains do not have a contiguous namespace and sometimes do not share the same Windows Server operating system Active Directory type. For example, you can make the namespace of two root domains in a domain forest microsoft.com and wiley.com.

Domain Tree Trusts

You can create a trust between one domain and another, which means that users can share resources back and forth between two or more domains as if the resources were all part of one domain container. When you use Windows NT domain trusts, you can only configure a one-way,

nontransitive trust between two NT domains. This means you can only create a trust where one domain is trusted and the other domain is trusting. You have to create a separate trust relationship in the other direction between the two domains so they can mutually trust each other. When creating trust, remember that interrelationship does not guarantee trust. For example, you can create a trust relationship between Domain A and Domain B, and another trust between Domain B and Domain C; however, Domain A and Domain C do not automatically trust each other. You must create another, separate trust between A and C before they trust each other. With the introduction of Windows 2000 Server and Windows Server 2003 Active Directory, you can now create two-way transitive trusts automatically between different domains in the same domain tree so that a trust between A and B is automatically two-way. Further, you have a trust where if B and C trust each other, A and C automatically trust each other.

Domain Forest Trusts

You can create trust relationships between two unrelated domain trees, but you cannot automatically create two-way transitive trust relationships. You must create forest trust relationships the same way you create domain trust relationships with Windows NT. Because this is a relationship between two unrelated domains, you must carefully create trust relationships with a greater element of security. You can own both domains, maintain separate namespaces, and allow one domain to access resources on a second domain and limit how the second domain accesses resources on the first. Users on any domain with two-way transitive trusts can access any other domain in the forest transparently. A transitive trust is one where two or more parent domains and their child domains all trust each other. The trust at the parent level transverses down to the child domains based on the parent trust. A transparent trust is one where the user is not aware of how the trust relationships transverse numerous domains and domain trees. From their point of view, they can access a child domain in a different tree as if the resource existed in their own domain. For more on forest trusts, see the section “Create a Forest Trust.”

Create a

Forest Trust

Y

ou can use Windows Server 2003 Active Directory to create a forest trust relationship between two separate domains. This allows the two domains to have the same relationship with each other as they do with subdomains within the same domain tree. You can share resources between the two root domains and between subdomains in each of the separate domain trees. For more on forest trusts, see the section “Understanding Active Directory Domains and Trust” earlier in this chapter. You can only create a forest trust relationship between two domains running Windows Server 2003 Active Directory.

You can create the forest trust only if you raise the forest functional level of both domain trees to Windows Server 2003 Mode. The Windows Server operating systems you use on your domain controllers defines the domain tree and forest functional levels or modes and the Active Directory features you can use. For more on domain and forest functional levels, see Chapter 2.

If you want your Windows Server 2003 domain tree to form a trust relationship with a domain using Windows 2000 Server domains or Windows NT Server domains, you can only create an external trust relationship and cannot create a true domain forest.

1

4

5

2

3

Administrative Tools

1

Click Start.

2

Click Administrative Tools.

3

Click Active Directory Domains and Trusts.

Create a Forest Trust

The Active Directory Domains and Trusts snap-in appears.

4

Right-click the domain.

appears.

6

Click the Trusts tab.

7

Click New Trust

I

8

7

0

9

The New Trust Wizard appears.

8

Click Next.

The Trust Type page of the Wizard appears.

9

Click the Forest trust option ( changes to ).

0

Click Next.

On the Domain Properties box Trusts tab, how many different trusts can I create there?

You can create as many trust relationships as you want to serve the needs of your

domain. For example, you can create independent trust relationships from your domain to serveral other domains. You can also create different types of trusts from the Trusts tab in the Domain Properties box. You can also limit the number of trusts you create so that you can track which domain trees trust other domain trees. If you lose track of the number and type of trusts you create, you may find it difficult to

troubleshoot trust problems.

When do I select the This domain only option on the Sides of Trust page of the New Trust Wizard?

Create a Forest Trust

(Continued)

Y

ou can custom make a forest trust to meet the specific needs of your domain and another, noncontiguous domain. Doing this tightly controls security access to your domain resources. The trust relationship between your domain and the other domain is actually an authentication relationship. You authenticate onto your domain from a computer by typing your username and password on the logon screen of the computer. The nearest domain controller verifies your credentials and you are then allowed access.

When you create a trust relationship with another domain, you actually create automatic authentication for your users

from your domain to the other domain and all the resources it contains. Because you create a trust that is transparent, your users never notice that they are accessing resources outside their domain.

You can create trust relationships that are two-way, one-way incoming, or one-way outgoing. Specific configuration controls allow you to control the level of access security you want between the two domains. When you create a two-way trust, you must have administrator credentials for the other domain to complete trust creation.

For more on authentication relationships and transparent trusts, see the section “Understanding Active Directory Domains and Trusts.”

&

#

%^

@

$

!

• •

The Direction of Trust page of the Wizard appears.

!

Click the Two-way option ( changes to ).

•

You can also select a One-way direction.

Note:

For more on creating a one-way trust, see the section “Create a Shortcut Trust.”

@

Click Next.

The Sides of Trust page of the Wizard appears.

#

Click the “Both this domain and the specified domain” option ( changes to ).

$

Click Next.

The User Name and Password page appears.

%

Type the administrator name for the other domain.

^

Type the administrative password for the other domain.

&

Click Next.

Local Forest page of the Wizard appears.

*

Click the Forest-wide authentication option ( changes to ).

(

Click Next.

I

(

q

*

)

Are all trusts with nonrelated domain trees such as External and Realm trusts considered nontransitive trusts?

No. You can create a forest trust between two domains and you can make your forest trust transitive, but only if you specify this as you step through the Create a New Trust Wizard. This means that the child domains can share the trust relationship as long as you create the trust that way. You can also create an external trust that is not transitive. Instead, the external trust you create is bound between just the two domains and does not invole any of the child domains.

Why do I have to create the

authentication level for both the local forest and the specified forest?

If you choose to create both sides of the trust at the same time and have access to the administrator username and password for the other domain, you must approve authentication in both your domain and the other domain as well. This means that you must get the administrative authentication information for the other domain.

Otherwise, you can create only one side of the trust and need to have the administrator in the other domain provide authentication for the two-way trust to be implemented. The Ongoing Trust Authentication Level –

Specified Forest page of the Wizard appears.

)

Click the Forest-wide authentication option ( changes to ).

Create a Forest Trust

(Continued)

Y

ou can create and verify both the trust selections and the trust itself in order to construct the elements that allow the trust to operate. You can test that trust relationship while you are still using the Create a New Trust Wizard. You can go back and correct any problems you may have introduced to the trust in the Wizard and retest the trust before completing the Wizard and activating the trust relationship.

You can also choose to wait until later to verify the trust, or not verify the trust at all. You can let your users verify the

trust in actual use. Using best practice procedures, you should test both sides of the trust inside the Wizard to avoid potential problems. You can also use the information you present in the Wizard to confirm how the trust is

configured. You can verify the name of the domains you have set to establish a trust, the direction of the trust, and the trust type. You can verify that you have correctly created the trust authentication levels for both local and specified domains.

w

e

t

r

•

•

The Trust Selection Complete page of the Wizard appears.

w

Click Next.

Create a Forest Trust (continued)

The Trust Creation Complete page of the Wizard appears.

e

Click Next.

The Confirm Outgoing Trust page of the Wizard appears.

r

Click the Yes, confirm the outgoing trust option ( changes to ).

•

You can click No ( changes to ) when you want to delay confirming trusts until after you create a complex trust structure.

Wizard appears.

y

Click the Yes, confirm the incoming trust option ( changes to ).

•

You can click No, do not confirm the outgoing trust option ( changes to ).

Note:

For more on clicking these options, see the section, “Create a Shortcut Trust.”

u

Click Next.

I

u

i

y

•

•

The Completing the New Trust Wizard appears.

i

Click Finish.

Your trust relationship is not complete until authentication changes are replicated to all domain controllers in the forest.

Why would I choose to verify only one side of the trust but not the other?

You can verify only one side of the trust when the other domain administer wants to verify the other side. You can also choose to verify only one side of the trust if you elect to create only one side of a trust in an External Trust. The New Trust Wizard offers you selections that you use when you create different kinds of trusts. The Confirm Outgoing Trust and Confirm Incoming Trust pages of the New Trust Wizard are where you can verify one, the other, or both sides of the trust.

On the Completing the New Trust Wizard page, why do astericks appear before the domain names listed.

You have created an authentication situation where anyone in one domain may

authenticate to any resource in another domain. In Windows Server 2003, one format used to authenticate to a domain is username@domain.com. The asterick (*) is a wildcard symbol that means any username that appears before the domain name is considered valid. In other words,

Create a

Shortcut Trust

Y

ou can create a shortcut trust that enables users

and processes in one child domain to directly access users and resources in a child domain in a different branch of the same domain tree without using the trust relationship structure that goes through the parent domain. This allows your users to access processes faster than when using the traditional two-way transitive trust relationship. This is because the traditional relationship processes users’ resource queries up one branch of the domain tree, through the root, and down the other branch. When you create a trust, even in the same tree, you are really creating an authentication process between the

parent domain and each of the individual child domains. You are not aware of it because you created a trust that is automatically transitive and transparent. For example, the domain called engineers.research.microsoft.com needs to access the domain called programmers.development. microsoft.com. Each part of the namespace represents part of the authentication process that your users must traverse. You can create a path that allows engineers and

programmers to trust each other as if they were the only two domains in the tree.

For more on transitive and transparent trusts, see the section “Understanding Active Directory Domains and Trust.

1

4

5

6

2

3

Administrative Tools

1

Click Start.

2

Click Administrative Tools.

3

Click Active Directory Domains and Trusts.

Create a Shortcut Trust

The Active Directory Domains and Trust snap-in appears.

4

Right-click the domain name.

5

Click Properties.

The Domain Properties dialog box opens.

7

Click Next.

I

7

9

!

8

0

research.test.local

The Sides of Trust page of the Wizard appears.

0

Click the This domain only option ( changes to ).

!

Click Next.

The Trust Name page of the Wizard appears.

8

In the Name field, type the name of the other domain.

9

Click Next.

How does the Create a New Trust Wizard know what kind of trust to create?

The Wizard uses your selections to

determine which types of trusts to offer you. When you type the name of a child domain in the Wizard, you indicate the type of trust you want to create. The Wizard accesses the Active Directory domain tree topology, identifies the domain you have indicated is a child domain and determines that the only type of trust you can create is a shortcut trust. If you are not offered the expected type of trust when you run the Wizard, you must go back and determine if you met all the required conditions for this type of trust.

On the Trust Name page of the New Trust Wizard, why must I type the DNS name of the forest rather than the NetBIOS name?

Create a Shortcut Trust

(Continued)

W

hen you create a shortcut trust, you can verify your selections. Verifying the selections you make allows you to construct a correctly working shortcut trust the first time. By using the built-in checking features in the New Trust Wizard, you ensure that your users can use the trust and have it behave reliably as soon as you create it.

Although the two domains in the shortcut trust share a contiguous namespace, you create a shortcut trust with the Wizard in the same way you create any external trust. The

shortcut trust is nontransitive and not automatically two-way because you bypasss the two-two-way transitive features of the standard domain tree trust. While it might seem as if you can restrict access of one domain to the other by creating a one-way trust, both child domains are still part of the two-way transitive trust created when the domain tree was made. You must configure a password for the trust with this type of trust. The password is independent of the administrative password that accesses the parent or any of the child domains. The shortcut trust password is unique to the specific trust you create.

$

^

*

%

@

#

&

The Trust Password page of the Wizard appears.

@

Type the trust password.

#

Type the trust password again in the Confirm trust password field.

$

Click Next.

The Trust Selections Complete page of the Wizard appears.

%

Review the information.

^

Click Next.

Create a Shortcut Trust (continued)

The Trust Creation Complete page appears.

&

Review the information.

appears.

(

Click the No, do not confirm the

outgoing trust option ( changes to ).

•

You can also click the “Yes, confirm the outgoing trust” option ( changes to ).

Note:

For more on this option, see the section “Create a Forest Trust.”

)

Click Next.

The Confirm Incoming Trust page appears.

q

Click the No, do not confirm the

incoming trust option ( changes to ).

w

Click Next.

Completing the New Trust Wizard page appears.

e

Click Finish.

Windows Server 2003 creates the shortcut trust.

I

)

w

e

q

(

•

•

When I create a shortcut trust between two child domains in the same domain tree, why do I have issues with security?

You do not create a shortcut trust to increase the level of security between two child domains in the same tree. While it is true that you do not have to create a two-way trust automatically between the two child domains using the shortcut trust, the primary purpose of the trust is to create a direct authentication link between two child domains that frequently access resources between their two domains. Even if you created a one-way shortcut trust, they still have a two-way transitive trust relationship because they belong to the same tree.

Why does Active Directory periodically change the shortcut trust password for me?

You can manage trust security manually by periodically changing the shortcut trust password, but Active Directory offers to do this task for you to ease your burden of administration. Active Directory has a similar feature where you specify the password account features for domain users. You can configure password accounts to

automatically force users to change

passwords at certain periods, enforce a high level of complexity in passwords and prevent users from using the same password too often. For more on configuring

Validate

a Trust

Y

ou can validate a trust after you initially create it to verify that the trust relationship functions properly or to diagnose a potential problem with the trust. You can use this simple method to establish the usability of a trust relationship between domains within the same tree or domains in two separate forests. Trusts are very

complicated relationships and if you do not construct them carefully, you can have a nonworking trust.

There are times when you may create a trust between two domain trees in a forest or two separate domain forests and you decide not to validate the trust relationship. When you validate a trust between two domains, you are verifying the authentication set up between the domains.

You can also determine if a trust relationship, which was previously working, is no longer functioning properly. You first check the network connections between network subnets and separate network infrastructures to make sure that your domain controllers are all communicating. You then can investigate the trust relationship. Please note that you can use the validate a trust feature as the first step in solving a trust problem, but that function cannot repair any problem you find. Although the cause of a trust relationship problem can be widely varied, you can go back and verify that all of the prerequisite conditions for creating the trust have been met.

1

4

5

6

7

2

3

Administrative Tools

development.willis.local Child Yes

1

Click Start.

2

Click Administrative Tools.

3

Click Active Directory Domains and Trusts.

Validate a Trust

The Active Directory Domains and Trusts snap-in appears.

4

Right-click the domain name.

5

Click Properties.

The Domain Properties dialog box appears.

6

Click the trust you want to validate.

8

Click Validate.

I

8

9

!

@

#

0

willis.local

The Active Directory authentication dialog box appears.

9

Click the Yes, validate the incoming trust option ( changes to ).

0

In the User name field, type the administrator logon name.

!

In the Password field, type the administrative password.

@

Click OK.

A trust validation message appears.

#

Click OK.

The trust relationship is verified.

Can I verify both sides of a trust relationship at the same time?

No. You can use the Domain Properties dialog box to choose either the incoming or the outgoing trust and then verify that trust. You cannot select both trust relationships at the same time. You can verify one trust direction and the other trust direction, one after the other, while the Active Directory Domains and Trusts snap-in is open. You can also verify different sides of a trust at different times. For example, if you create a trust that users primarily access in one direction and not the other, you can verify only that

Do I have to have administrative privileges for the other domain in the trust to verify my outgoing trust?

Change Authentication

Scope of a Trust

Y

ou can construct or change a trust relationship between your domain and another domain entity so that the relationship is no longer domain-wide. Doing so restricts access to secure resources to the other domain. You can designate a few users, or just one group or department, the authority to authenticate with the other domain through the trust relationship so that most users on your domain cannot access resources on the other domain forest. You can only choose two different forest trust authentication types. You can choose Forest-wide

authentication, which is the preference for situations where both domain forests belong to the same organization. For example, Cisco owns Linksys, although both organizations maintain their own domain namespace. Cisco and Linksys benefit from having a forest trust.

You can choose Selective authentication when you want to create a forest trust between two completely separate and independently owned organizations. With this option, you can preserve the security of each organization. You can have control of exactly which types of resources on your domain you allow the other domain to access.

1

4

5

2

3

Administrative Tools

1

Click Start.

2

Click Administrative Tools.

3

Click Active Directory Domains and Trusts.

Change Authentication Scope of a Trust

The Active Directory Domains and Trusts snap-in appears.

4

Right-click the domain name.

appears.

6

Click the trust you want to change.

7

Click Properties.

I

9

!

6

0

7

8

test.local External No

The Trust Properties dialog box appears.

8

Click the Authentication tab.

9

Click the Selective authentication option ( changes to ).

0

Click Apply.

!

Click OK.

The Authentication Scope is now changed.

How do I ensure that the specific users or groups designated to access the other domain forest can authenticate that forest?

You can provide the specific authentication logon name and password only to those groups you want to have access. In order to do this, you must add the users or groups to the Access Control Lists (ACLs) of the services or resources you want them to access. When any of your domain users attempt to access the shares in the other domain forest, instead of automatically being authenticated, they see a logon screen. Users without access do not know the proper username and password to log on to the other domain forest through the Selective Authentication.

What if I want two different groups in my domain to only have access to separate resources in the other domain forest.