Designing Trust Relationships Between Domains and Forests

A trust creates the framework that governs domain-to-domain or forest-to-forest relationships. A trust allows users in different domains or forests to access resources in other domains or forests based on the trust that is established. Just as in previous versions of the Windows Server operating system, Windows Server 2003 trusts allow network administrators to establish relationships between domains and forests so that, for example, users from Domain A can access resources in Domain B. Unlike previous releases of Windows, however, Windows 2000 and Server 2003 allow for the creation of two-way, transitive trusts.This means that if Domain A trusts Domain B, and if Domain B trusts Domain C, then Domain A automatically trusts Domain C. (You may remember the days of Windows NT 4.0, when the number of trust relationships you needed to create in a large environment became staggeringly large:A network with 10 domains would require the administrator to manually create 90 trust relationships to allow for the kind of trust relationships that Windows 2000 and Windows Server 2003 create automatically.) In this section, we'll cover the various types of trust relationships that you can create to allow your users to quickly and easily access the resources they require.

Let's review some of the terminology that you'll encounter when you're dealing with designing trust relationships:

■ Transitive trust

■ Nontransitive trust

In a one-way trust, Domain A trusts Domain B. What this means is that Domain A is trusting Domain B's users and granting them access to its resources. As you can see in Figure 4.9, Domain A is the trusting domain, and Domain B is the trusted domain. With a one-way trust, the trusted domain contains the user resources that require access, and the trusting domain contains the resources that are being accessed. Diagrammatically, this concept is represented using an arrow pointing toward the trusted domain, as you can see in the figure. If you have a hard time remembering which domain is the trusted domain and which is the trusting domain as well as which way the arrow is supposed to point, it might help to try to remember it this way: Think of the last two letters in trust-ED as talking about a guy named Ed. The trust-ED domain is the one that contains users, since that's where ED is. The trusting domain, on the other hand, contains the thing that your users are trying to access. It's the trust-ING domain because that's where the THINGS are. Using this mnemonic device when you're looking at a diagram of a one-way trust relationship on the 70298 exam, you can remember that the direction-of-trust arrow is pointing to ED.

Figure 4.9 The One-Way Trust Relationship

One-Way Trust

One-Way Trust

Figure 4.9 The One-Way Trust Relationship

One Way Trust

When setting up one-way trusts from a Windows Server 2003 domain or forest, you have two possible options:

■ One-way: incoming Users in your Windows Server 2003 domain or forest will be able to access resources in the external realm, but external users will not be able to access any resources in your Windows Server 2003 domain. In this case, the Windows 2003 domain will be the trusted domain (since that's where Ed and all the other users are), and the external domain or forest will be the trusting domain, since that will be where the resources (or things) are.

■ One-way: outgoing This is the reverse of one-way: incoming. Here, users in the external domain or forest will be able to access resources within your domain, but your Windows Server 2003 users will not be able to access any resources in the external realm. Likewise, the Windows Server 2003 domain will be the trusting domain, since it contains the resources being accessed, and the external domain or forest will be the trusted domain, since it contains the users who will be accessing the resources.

Unlike a one-way trust, a two-way trust means that both Domain A and Domain B are simultaneously trusting and trusted domains, respectively, which means that users in both domains can access resources in either domain. Figure 4.10 will help you visualize this trust relationship.

Figure 4.10 The Two-Way Trust Relationship

Two-way Trust

Two-way Trust

Figure 4.10 The Two-Way Trust Relationship

Domain A Domain B

All Windows 2000 and Windows Server 2003 domains are designed with transitive trusts by default. Remember the transitive property from your high school mathematics class: If A equals B and B equals C, then A must therefore equal C. It works the same way in a transitive trust relationship: If Domain A trusts Domain B and Domain B trusts Domain C, then Domain A automatically trusts Domain C. (This is different from the NT 4.0 trust environment in which you needed to manually create another trust between Domain A and Domain C.) For example, when you create a child domain, a two-way transitive trust is automatically created between the parent and child domains.You can see this illustrated in Figure 4.11. In plain English, this means that using transitivity of trust, a user in any domain can access any resource in any other domain in the same forest.

220 Chapter 4 • Securing the Network Management Process Figure 4.11 Trust Transitivity in Domains

220 Chapter 4 • Securing the Network Management Process Figure 4.11 Trust Transitivity in Domains

Transitive Trust

Let's explore this idea a little further with forests, since transitive trusts flow between domains in two forests as well. Let's say that Forest A has a transitive trust relationship with Forest B. This would mean that all the domains in Forest A have a transitive trust with all the domains in Forest B, and vice versa. However, let's say that there is a trust between Forest B and Forest C as well. This transitive trust between Forest B and Forest C will not flow to Forest A. So domains within Forest A and Forest C will not have any trust relationships between them unless you manually configure a trust between Forest A and Forest C. See Figure 4.12 for an illustration of this concept.

Was this article helpful?

0 0
Computer Hard Drive Data Recovery

Computer Hard Drive Data Recovery

Learn How To Recover Your Hard Drive Data After A Computer Failure.

Get My Free Ebook


Responses

  • vilho
    How to create a domain trust design in the forest?
    4 years ago
  • Mika
    What is trusting domain and trusted domain?
    11 months ago
  • Petros Iggi
    What is automatically created between domains when there are multiple domains in a forest?
    2 months ago

Post a comment