The concept of a domain trust is familiar to system administrators in Windows NT and Windows 2000 environments. Windows Server 2003 introduces the concept of a forest trust. Domain trustsand now forest-level trustsprovide a useful path through which autonomous organizations can share data and resources. Some scenarios that demonstrate the usefulness of establishing trusts are as follows :
In a Windows 2000 forest, if users in one forest need access to resources in another forest, you can create an external trust relationship between individual domains within each forest. External trusts can be one-way or two-way and are nontransitive, and therefore, limit the ability for trust paths to extend to other domains. For Windows Server 2003 functional forests, disjoined forests can be joined together to form a one-way or two-way, transitive trust relationship. A two-way forest trust is used to form a transitive trust relationship between every domain in both forests. Forest trusts benefit a company by reducing the number of external trusts that might be required to share resources cross-forest. They provide the ability to authenticate user principle names (UPNs) cross-forest. And they still enable companies to maintain autonomous administrative models in each forest. Configuring Forest TrustsA forest trust can only be created between the forest root domain of one Windows Server 2003 forest and the forest root domain of another Windows Server 2003 forest. Both forests need to be operating in Windows Server 2003 functional level. Creating a forest trust between two Windows Server 2003 forests provides a one-way or two-way transitive trust relationship between every domain residing within each forest. A one-way forest trust between two forests enables members of the trusted forest to use resources located in the trusting forest. The trust, therefore, only functions in one direction. For example, when a one-way forest trust is created between forest A (the trusted forest) and forest B (the trusting forest), members of forest A can access resources located in forest B, but members of forest B cannot access resources located in forest A using the same trust. A two-way forest trust, on the other hand, enables members from either forest to use resources located in the other forest. Domains in each respective forest trust domains in the other forest implicitly. For example, when a two-way forest trust is established between forest A and forest B, members of forest A can access resources located in forest B, and members of forest B can access resources in forest A, using the same trust. When creating a forest trust, be sure that DNS is configured properly. If there is a root DNS server that can be made the root DNS server for both of the forest DNS namespaces, make it the root server by ensuring that the root zone contains delegations for each of the DNS namespaces. Because this will probably not be the case, configure DNS secondary zones in each DNS namespace to route queries for names in the other namespace. Another alternative, if the DNS servers are both Windows Server 2003, is to configure conditional forwarders in each DNS namespace to route queries for names in the other namespace. For more information on Windows Server 2003 DNS, see Chapter 13, "Infrastructure Integration." If Forest Trust Is Not an Available Option If, at this point, forest trust is not an available option, it is likely that the forest functional level has not yet been raised to Windows Server 2003. To create a two-way forest trust, open Active Directory Domains and Trusts and follow these steps:
Granting Cross-Forest RightsAfter a forest trust has been established, it is an easy process for you to grant rights and permissions to resources on one side of the trust to users on the other side. The object picker is updated, enabling you to see objects in the root domain of the trusted forest. You Cannot Browse the Entire Trusted Forest For security, performance, and privacy reasons, you cannot browse the entire trusted forest. You will need to know the names of the security principles in order to grant rights and permissions. To assign permissions to a particular folder to the Domain Admins group in a domain in another forest, perform the following steps:
Authentication FirewallWhen a forest trust is created, you have the option to allow full authentication between every domain in each of the forests. This might be appropriate if both forests belong to the same company. If the trusting forests belong to two independent companies, it is likely that a selective authentication will be configured for the trust. The concept of selective authentication is also referred to as authentication firewall. Authentication firewall is automatically set up during trust creation if Selective Authentication is chosen on the Authentication Level page of the wizard. To impose an authentication firewall after a trust is established, simply go the Authentication tab of the Properties sheet of the existing trust, as shown in Figure 12.6. Figure 12.6. Setting the Authentication firewall.
After Authentication firewall is configured, only users or groups from cross-forest that are assigned the extended right Allow to Authenticate will be able to authenticate. To specify that only members of the domain admins group from a trusted forest domain can authenticate in a particular domain in the home forest, perform the following steps:
|