Lesson 3: Trust Relationships
Trust relationships allow members of one domain to access resources in another domain without possessing an account in the target domain. This relationship simplifies administration by allowing you to determine on a large scale which groups of users should have access to pools of resources across domains. Windows 2000 creates trust relationships automatically.
A domain controller named dc01.domain.fabrikam.com
A domain controller named gdi-dc-01.extranet.graphicdesigninstitute.com that is in a separate forest but on the same physical network
A workstation in the domain.fabrikam.com domain
Understanding Trust Relationships
When one domain trusts another domain's account holders, a one-way trust relationship exists. When both domains trust each other's account holders, a two-way trust relationship exists. When trust in a central domain allows the edge domains to trust each other, a transitive trust relationship exists.
Adding a domain to a forest creates a two-way transitive trust relationship with the parent domain that, due to the transitive nature of trust in Windows 2000, translates to an automatic trust relationship with all other domains in the forest. These trust relationships do not need to be managed.
There are three reasons to explicitly manage trust relationships in a Windows 2000 forest:
To establish trust relationships with Windows NT 4 domains
To establish trust to a domain in a foreign forest
To create a shortcut trust relationship between two domains in a very large forest
Rather than explicitly manage Windows NT 4 trust relationships, upgrade Windows NT 4 domains to Windows 2000 as quickly as possible.
When authentication is performed between two widely separated domains in Windows 2000, a trust path must be computed between them, which can take a considerable amount of time if the path is heavily used. Explicitly creating a two-way trust relationship between these domains shortens the trust-path computation and optimizes authentication processing. However, shortcut trust relationships have no effect on security, so they are not specifically covered in this book.
Managing External Trust Relationships
Creating a trust relationship to a foreign domain allows users to log on to the foreign domain directly. External trust relationships are one-way and non-transitive, so you can create a two-way trust relationship by creating two reciprocal trust relationships between the domains. Because external trust relationships are non-transitive, you must create an explicit trust relationship for every trusted domain.
Create trust relationships between forests through the Active Directory Domains And Trusts management console by opening the Properties dialog box for the domain. To establish a trust relationship, create an entry in the trusted domain list on the domain controller in the domain containing the target resource, and then create an entry in the trusting domain list on the domain controller containing the user accounts that will access the target resource. Security is established by entering the same secret key as a password on both systems.
After the second entry has been made, the domain controllers verify the trust relationship and pass information about security principals to the target domain so their SIDs can be entered into the access control lists (ACLs) of resources in the target domain.
Practice: Creating an External Trust Relationship
In this practice, you create an external trust relationship to a resource domain belonging to a business partner of the Fabrikam Corporation, the Graphic Design Institute. The purpose of this trust relationship is to allow Fabrikam designers to create and manage Fabrikam graphic files that will be produced by the Graphic Design Institute directly on their own servers.
After you've created a trust relationship, you will add users from the Fabrikam domain to the ACL of a resource in the Graphic Design Institute domain users from a trusted domain. Finally, you will access those resources from the trusted domain.
To perform this practice, you need to set up a domain controller for a domain called extranet.GraphicDesignInstitute.com.
To reduce the complexity of this exercise, NetBIOS names are used to refer to both domains and servers rather than fully qualified domain names. Normally, the two domains are not within the same physical network, so using the NetBIOS name to resolve the foreign domain or server would not work. To create trust relationships between domains using the fully qualified domain name, you must configure DNS name resolution with entries for the foreign domain.
Exercise: Establishing a Trust Relationship
In this exercise, you establish a trust relationship from the extranet.graphicdesigninstitute.com domain to the domain.fabrikam.com domain so that Fabrikam users can log on to the Graphic Design Institute server.
Perform this exercise on the Graphic Design Institute domain controller.
To create an external trust relationship
Log on as the domain administrator.
Click Start, point to Programs, point to Administrative Tools, and click Active Directory Domains And Trusts. The Active Directory Domains And Trusts management console appears.
Right-click extranet.graphicdesigninstitute.com, and click Properties. The extranet.graphicdesigninstitute.com Properties dialog box appears.
Click the Trusts tab, shown in Figure 7.13.
Figure 7-13. The Trusts tab of the Properties dialog box
Click the Add button for the Domains Trusted By This Domain control group. The Add Trusted Domain dialog box appears, as shown in Figure 7.14.
Figure 7-14. Adding an explicit trust relationship
Type domain in the Trusted Domain box, and type the password for the domain in both the Password and Confirm Password boxes. Click OK to continue.
Click OK when a warning appears that the trust cannot be verified.
Click OK to close the extranet.graphicdesigninstitute.com Properties dialog box.
Close the Active Directory Domains And Trusts management console.
To create the reciprocal trust entry
Log on as the domain administrator on the domain.fabrikam.com domain controller.
Click Start, point to Programs, point to Administrative Tools, and click Active Directory Domains And Trusts. The Active Directory Domains And Trusts management console appears.
Right-click domain.fabrikam.com, and click Properties. The domain.fabrikam.com Properties dialog box appears.
Click the Trusts tab.
Click the Add button for the Domains That Trust This Domain control group. The Add Trusting Domain dialog box appears.
Type Extranet in the Trusting Domain box, and type the password you used in the previous procedure in both of the Password boxes.
Click OK. A dialog box appears asking if you want to verify the trust relationship.
Click Yes. A dialog box appears asking for an administrator's credentials in the foreign domain.
Type Administrator in the User Name box, and type the administrator's password for the extranet.graphicdesigninstitute.com domain in the Password box.
Click OK. A message appears indicating that the trusting domain has been added and the trust verified.
Click OK. The domain.fabrikam.com dialog box appears, as shown in Figure 7.15, with extranet.graphicdesigninstitute.com listed as a domain that trusts this domain.
Figure 7-15. The other side of a trust relationship
Click OK, and close the Active Directory Domains And Trusts management console.
To secure a resource for users in a foreign domain
Log on as the domain administrator on the extranet.graphicdesigninstitute.com domain controller.
Create a folder in the C drive named Fabrikam. This folder will be used to store files from Fabrikam.
Right-click the Fabrikam folder, and click Properties to open the Properties dialog box.
Select the Security tab, and click Add. The Select Users, Computers, Or Groups dialog box appears.
In the Look In list, select domain.fabrikam.com.
Double-click Design Users. You have now added users from a trusted domain to the resource's ACL.
In the Look In list, select extranet.graphicdesigninstitute.com.
Double-click Administrators, and click OK to close the Select Users, Computers, Or Groups dialog box. The resource is now accessible by users in both domains.
With Design Users selected in the Properties dialog box, select the Full Control Allow check box.
Clear the Allow Inheritable Permissions check box.
The Security dialog box appears asking if you want to copy or remove inherited permissions. Click Remove.
The Everyone group is removed from the list of allowed security principals.
Click OK to close the Fabrikam Properties dialog box.
Right-click the Fabrikam folder, and click Sharing. The Properties dialog box opens.
Select Share This Folder, and click OK.
The folder is now shared.
To access an external resource
Log on as user sabbas from a workstation in the domain.fabrikam.com domain.
On the desktop, double-click My Network Places.
Double-click Add Network Place. The Add Network Place Wizard appears.
Type \\GDI-DC1-01\Fabrikam as the name of the network place, and click Next.
What would you type as the name of this server if the two servers were not on the same network?
Click Finish. The Fabrikam window opens.
Right-click in the window, point to New, and click Text Document.
A new text document appears in the window, proving that the user has Write access to the share.
Lesson Review
The following questions are intended to reinforce key information in this lesson. If you are unable to answer a question, review the lesson and try the question again. Answers to the questions can be found in the appendix.
What are the three reasons why you would explicitly modify trust relationships?
What is the difference between transitive and non-transitive trust?
What is the difference between one-way and two-way trust relationships?
What type of trust relationship results when you manually create a trust relationship?
What type of trust relationship is automatically created when a domain is added to a forest?
Lesson Summary
Trust relationships allow servers in a domain to trust accounts in a foreign domain so that users in the foreign domain can access resources in the local domain. A two-way trust relationship exists when both domains trust each other's accounts. A transitive trust relationship exists when trust in a domain is automatically conferred to domains that it trusts.
Windows 2000 automatically creates two-way transitive trust relationships between domains whenever a domain is created within a forest. For this reason, it is normally not necessary to explicitly manage trust relationships. Domains within a forest all trust each other's accounts.
You explicitly manage trust relationships to create a trust path shortcut, establish trust with a Windows NT 4 server, or establish trust with a server outside the forest. Explicitly managed trust relationships are one-way non-transitive trust relationships.
Trust relationships are managed using the Active Directory Domains And Trusts management console. Creating a trust relationship requires making an entry containing the same secret key on a domain controller in the trusted domain as the one in the trusting domain.