Using Cross-Forest Trusts Effectively

Windows 2003 introduced two new concepts in the use of forests; cross-forest authorization and cross-forest authentication. Cross-forest authentication allows users secure access to resources in another forest. This feature enables users to securely access resources in other forests, using either NTLM or Kerberos. This allows access without sacrificing single sign-on or the benefits of having a single user ID and password maintained in the user's home forest. Cross-forest authorization allows you to select users and groups from trusted forests for use in local groups or ACLs. This is a similar concept to domain trusts that were used in NT 4.0 domains. This feature retains the forest's role as a security partition while still allowing trust between forests. It allows the trusting forest to enforce restrictions on what security identifiers (SIDs) will be accepted when users from trusted forests attempt to access protected resources.

To create a cross forest trust, perform the following steps:

1. Choose Start, All Programs, Administrative Tools, Active Directory Domains and Trusts.

2. Right-click the domain for which you want to establish the trust and select Properties.

3. Click the Trusts tab and click New Trust. This will launch the New Trust Wizard. Click Next.

4. At the prompt shown in Figure 10.1, type the name of the domain, forest, or Kerberos realm for this trust. Because this will be a forest trust, enter a fully qualified domain name (FQDN) and click Next.

   Figure 10.1. Enter the trust name.

   

5. Select the appropriate trust type, in this case, Trust with a Windows Domain. Click Next.

6. When prompted with the screen shown in Figure 10.2, select the direction for the trust and click Next.

   Figure 10.2. Choosing the trust direction.

   

7. Choose whether to create the trust on one or both sides. Click Next. This will depend on your rights in the other forest.

   Caution Should Be Exercised in the Use of Cross-Forest Trusts

   Although the capability to restrict usage of cross-forest authorization reduces exposure to potential elevation of rights attacks through SID history from a trusted forest, the potential for intrusion is not eliminated. Administrators don't have complete knowledge of security practices of administrators of other forests. Caution should be exercised in the use of cross-forest trusts.

8. Choose domainwide or selective authentication when prompted with a screen similar to the one shown in Figure 10.3. Click Next. This will determine if some or all resources will be made available.

   Figure 10.3. Setting the authentication level.

   

9. Input the appropriate trust passwords. Click Next.

10. This completes the trust creation. Click Next, Next, confirm the trust, Next, Next, and then Finish.

Account/Resource Forests

With the ability to now support trusts between forests, many previously unavailable Active Directory architectures become available. Forests can be built to support a single Active Directoryaware application. Schema changes to that application would be independent of the schema supporting the account forest. Resource forests could be brought up to allow developers or QA groups to work in environments that look identical to production without the fear of changes to the schema affecting production users.

Company Acquisition

Back in the days of NT 4.0 domains, company mergers or acquisitions were fairly easy to handle from a domain point of view. With the simple creation of a trust, resources could be ACLed with user information from the other company. When Windows 2000 and Active Directory came along, this scenario became a lot more challenging. Now with Windows 2003 and the support for cross-forest trusts, the fairly simple days of granting access to a resource via a trust have returned.

Although a cross-forest trust should not be considered a long-term solution for company acquisition or mergers, it is an excellent tool to get immediate access to resources. Companies in this situation should look back to their original Active Directory design and make determinations as to how best to integrate the new resources; either as a new domain in the forest or collapsing them into a single domain potentially as an OU. If the requirements of the partner are sufficient to warrant a separate forest, the trust could be maintained long term .