Expanding the Enterprise by Interconnecting Forests and Domains

The concept of a domain trust is familiar to system administrators in Windows NT and Windows 2000 environments. Windows Server 2003 introduces the concept of a forest trust. Domain trustsand now forest-level trustsprovide a useful path through which autonomous organizations can share data and resources. Some scenarios that demonstrate the usefulness of establishing trusts are as follows :

• Companies undergoing a merger. When two companies are in the process of a merger, they might require a method by which to share network resources while maintaining their individual administrative models.

• Companies with different Active Directory schema requirements. A company could have different forests within their organization linked by a trust yet operate under different schemas and replication topologies.

• Isolating a DMZ. For increased security, a DMZ might be placed in a forest independent yet linked to the production forest by a trust relationship.

• Separate companies requiring collaboration and sharing of resources. Trust relationship can be set up for links to suppliers, customers, and other partner businesses.

In a Windows 2000 forest, if users in one forest need access to resources in another forest, you can create an external trust relationship between individual domains within each forest. External trusts can be one-way or two-way and are nontransitive, and therefore, limit the ability for trust paths to extend to other domains.

For Windows Server 2003 functional forests, disjoined forests can be joined together to form a one-way or two-way, transitive trust relationship. A two-way forest trust is used to form a transitive trust relationship between every domain in both forests.

Forest trusts benefit a company by reducing the number of external trusts that might be required to share resources cross-forest. They provide the ability to authenticate user principle names (UPNs) cross-forest. And they still enable companies to maintain autonomous administrative models in each forest.

Configuring Forest Trusts

A forest trust can only be created between the forest root domain of one Windows Server 2003 forest and the forest root domain of another Windows Server 2003 forest. Both forests need to be operating in Windows Server 2003 functional level. Creating a forest trust between two Windows Server 2003 forests provides a one-way or two-way transitive trust relationship between every domain residing within each forest.

A one-way forest trust between two forests enables members of the trusted forest to use resources located in the trusting forest. The trust, therefore, only functions in one direction. For example, when a one-way forest trust is created between forest A (the trusted forest) and forest B (the trusting forest), members of forest A can access resources located in forest B, but members of forest B cannot access resources located in forest A using the same trust.

A two-way forest trust, on the other hand, enables members from either forest to use resources located in the other forest. Domains in each respective forest trust domains in the other forest implicitly. For example, when a two-way forest trust is established between forest A and forest B, members of forest A can access resources located in forest B, and members of forest B can access resources in forest A, using the same trust.

When creating a forest trust, be sure that DNS is configured properly. If there is a root DNS server that can be made the root DNS server for both of the forest DNS namespaces, make it the root server by ensuring that the root zone contains delegations for each of the DNS namespaces. Because this will probably not be the case, configure DNS secondary zones in each DNS namespace to route queries for names in the other namespace. Another alternative, if the DNS servers are both Windows Server 2003, is to configure conditional forwarders in each DNS namespace to route queries for names in the other namespace. For more information on Windows Server 2003 DNS, see Chapter 13, "Infrastructure Integration."

To create a two-way forest trust, open Active Directory Domains and Trusts and follow these steps:

1. In the console tree, right-click the domain node for the forest root domain, and then click Properties.

2. On the Trust tab, click New Trust, and then click Next.

3. On the Trust Name page, type the DNS name of another forest, and then click Next.

4. On the Trust Type page, click Forest Trust, and then click Next.

5. On the Direction of Trust page, click Two-way as shown in Figure 12.5

   Figure 12.5. Creating a two-way forest trust.

   

6. On the Sides of Trust page, select This Side Only, and click Next.

7. On the Outgoing Trust Authentication Level, choose Forest-wide. (Authentication levels will be discussed in the Authentication Firewall section of this chapter).

8. Provide a password for the Trust, and click Next.

9. Click Next to complete the configuration.

Granting Cross-Forest Rights

After a forest trust has been established, it is an easy process for you to grant rights and permissions to resources on one side of the trust to users on the other side. The object picker is updated, enabling you to see objects in the root domain of the trusted forest.

To assign permissions to a particular folder to the Domain Admins group in a domain in another forest, perform the following steps:

1. Right-click on the folder, choose Properties, and go to the Security Tab.

2. Click Add, and then in the Object Picker, click Locations.

3. Select the forest root domain of the trusted forest.

4. Type Domain Admins , and click Check Names.

5. Select the appropriate Domain Admins group and click OK to complete the configuration.

Authentication Firewall

When a forest trust is created, you have the option to allow full authentication between every domain in each of the forests. This might be appropriate if both forests belong to the same company. If the trusting forests belong to two independent companies, it is likely that a selective authentication will be configured for the trust. The concept of selective authentication is also referred to as authentication firewall.

Authentication firewall is automatically set up during trust creation if Selective Authentication is chosen on the Authentication Level page of the wizard. To impose an authentication firewall after a trust is established, simply go the Authentication tab of the Properties sheet of the existing trust, as shown in Figure 12.6.

After Authentication firewall is configured, only users or groups from cross-forest that are assigned the extended right Allow to Authenticate will be able to authenticate.

To specify that only members of the domain admins group from a trusted forest domain can authenticate in a particular domain in the home forest, perform the following steps:

1. In Active Directory Users and Computers, right-click on the domain controller in the domain that will be the authenticating DC, choose Properties, and go to the Security tab.

2. Click on the Add button, and then click Location.

3. Select the trusted forest and click OK.

4. Type Domain Admins , and click Check Names.

5. Set permissions and set the Allowed to Authenticate permission; then click OK to complete the configuration.