Authentication and Trusts Across Domain Boundaries

Active Directory uses Kerberos security for server-to-server authentication and the establishment of trusts, while allowing older clients and servers on the network to use NTLM if necessary. Figure 33-6 shows a one-way trust in which one domain is the trusted domain and the other domain is the trusting domain. In Windows NT 4, you typically implemented one-way trusts when you had separate account and resource domains. The establishment of the trust allowed users in the account domain to access resources in the resource domain.

Trusted domain Trusting domain

(account domain) (resource domain)

Figure 33-6. One-way trust with a trusted domain and a trusting domain.

Trusted domain Trusting domain

(account domain) (resource domain)

Figure 33-6. One-way trust with a trusted domain and a trusting domain.

h t Two-Way Transitive Trusts

3 With Active Directory, trusts are automatically configured between all the domains in a forest and are implemented as two-way, transitive trusts. As a result, users in domain A can automatically access resources in domain B and users in domain B can automatically access resources in domain A. Because the trusts are automatically established between all domains in the forest, no setup is involved and there are many more design options for implementing Active Directory domains.

Note The physical limitation on the number of objects that necessitated having separate account and resource domains in Windows NT 4 no longer applies. Active Directory domains can have millions of objects, a fact that changes the fundamental reason for creating additional domains.

As trusts join parent and child domains in the same domain tree and join the roots of domain trees, the structure of trusts in a forest can be referred to as a trust tree. When a user tries to access a resource in another domain, the trust tree is used, and the user's request has to pass through one domain controller for each domain between the user and the resource. This type of authentication takes place across domain boundaries. Authentication across domain boundaries also applies when a user with an account in one domain visits another domain in the forest and tries to log on to the network from that domain.

Consider the example shown in Figure 33-7. If a user from domain G visits domain K and tries to log on to the network, the user's computer must be able to connect to a domain controller in domain K. Here, the user's computer sends the initial logon request to the domain K domain controller. When the domain controller receives the logon request, it determines that the user is located in domain G. The domain controller refers the request to a domain controller in the next domain in its trust tree, which in this case is domain J. A domain controller in domain J refers the request to domain I. A domain controller in domain I refers the request to domain H. This process continues through domains A, E, and F until the request finally gets to domain G.

Figure 33-7. A forest with many domains.

Shortcut Trusts

This rather lengthy referral process could be avoided if you established an explicit trust between domain G and domain K as shown in Figure 33-8. Technically, explicit trusts are one-way transitive trusts, but you can establish a two-way explicit trust by creating two oneway trusts. Thus unlike standard trusts within the trust tree, which are inherently two-way and transitive, explicit trusts can be made to be two-way if desired. As they can be used to establish authentication shortcuts between domains, they are also referred to as shortcut trusts. In this example, it was decided to create two one-way trusts: one from domain G to domain K and one from domain K to domain G. With these shortcut trusts in place, users in domain G could visit domain K and be rapidly authenticated and users in domain K could visit domain G and be rapidly authenticated.

If you examine the figure closely, you'll see that several other shortcut trusts were add to the forest as well. Shortcut trusts have been established between B and E and between E and I. Establishing the shortcut trusts in both directions allows for easy access to resources and rapid authentication in several combinations, such as the following:

• Using the B to E shortcut trust, users in domain B can rapidly access resources in domain E.

• Using the B to E and E to I shortcut trusts, users in domain B can also rapidly access resources in domain I.

Two-way transitive trust

Figure 33-7. A forest with many domains.

• Using the B to E shortcut trust, users in domain B can visit domain E and be rapidly authenticated.

• Using the B to E and E to I shortcut trusts, users in domain B can visit domain I and be rapidly authenticated.

Figure 33-8. A forest with several shortcut trusts.

The trusts work similarly for users in domain E. Users in domain E have direct access to both domain B and domain I. Imagine that domain B is sales.cohovineyard.com, domain E is mf.cohovineyard.com, and domain I is cs.cohowinery.com, and you may be able to better picture how the shortcut trusts allow users to cut across trees in the Active Directory forest. Hopefully, you can also imagine how much planning should go into deciding your domain structure, especially when it comes to access to resources and authentication.

Was this article helpful?

0 0

Post a comment