Trusts

Finally, we get to the issue of trusts. Like NT and Windows 2000, Windows Server 2003 domains interrelate or interoperate according to trust relationships. In other words, the security principals of one domain are trusted by the security services of another domain according to the trust relationship between the two domains. This is illustrated in Figure 2-16.

Active Directory/ DNS Domains

AD Domains

Figure 2-16: Domain A trusts domain B, and domain B trusts domain A . . . a two-way trust.

Active Directory/ DNS Domains

AD Domains

Figure 2-16: Domain A trusts domain B, and domain B trusts domain A . . . a two-way trust.

Figure 2-17 illustrates the three domains that are linked by transitive trust relationships. This new trait, transitive, essentially means that if domain A trusts domain B and domain B trusts domain C, then A also trusts C. Another way to look at it is by stating that a friend of my friend is also my friend. Figure 2-17 illustrates the transitive trusts.

Note Transitive here really means that something is able to get from point A to point B by going via point n. Transitive can refer to the transient activity of other systems besides security. Replication is a good example.

You might be wondering why, then, Windows Server 2003 domains are automatically transitive whereas legacy NT domains are not. There is no magic in this, no nifty trick performed by Microsoft other than the adoption of an established security standard long overdue: Kerberos. The ticket-granting service that Kerberos and Active Directory bring to Windows Server 2003 creates a distributed security network. Like the Single Sign-On initiative discussed earlier, Kerberos tickets issued by one domain can be used as good currency in another domain. The Kerberos ticket is like a multinational visa or passport that allows the bearer to gain access to any territory that accepts it.

Active Directory/ DNS Domains

AD Domains

Active Directory/ DNS Domains

AD Domains

Was this article helpful?

0 0

Post a comment