Designing Forest and Domain Trust Models

Previous page
Table of content
Next page

  < Day Day Up > 


One of the most important decisions you will make when designing your Active Directory infrastructure is the extent to which you intend to utilize forests and domains. Will you have a single forest or multiple forests, and within each forest, will you have a single domain or multiple domains? Each decision that you make along the way will impact the level of the security in place in your environment. There are several advantages and disadvantages with respect to security that you must understand before designing your domain or forest model.

A trust model will represent the configuration of the trusts between your Active Directory domain or forest and another environment. One of the first things you will need to bear in mind is that the operating system on the external environment will have a significant impact as to the level of security that is used to maintain the trust.

Domain trusts, which are trusts between Windows domains, can be between domains within the same tree, in separate trees, or in separate forests; they can even be between stand-alone domains. All domains within a tree trust each other, directly or indirectly, due to the transitive trust relationship that all domains have with their immediate parent domain. The transitive trust “climbs” the tree from the very bottom domain to the forest root domain. This trust model is displayed in Figure 4.2. Notice that all trusts go in both directions, and remember that, because the trusts are transitive (for example, if Joltcoder.lan trusts Sales.Joltcoder.lan and Joltcoder.lan trusts HR.Joltcoder.lan, then Sales.Joltcoder.lan trusts HR.Joltcoder.lan), all domains trust each other, by default, within the tree.

click to expand
Figure 4.2: Transitive trust model

In the following sections, you will learn the implications associated with each of the trust types.

Default Trusts

There are two types of default trusts (both two way and transitive):

Parent/child trusts Parent/child trusts are by default created automatically when a new child domain is added to a preexisting domain tree.

Tree-root trusts Tree-root trusts are created automatically when a new tree is created in an existing forest. It is a trust between the tree-root domains of each tree.

Non-Default Trusts

There are other types of trusts that can be created manually and are not all two way and transitive. The following list describes the other types of trusts:

External trust An external trust is a nontransitive trust between an Active Directory domain and an external Windows domain, such as an NT 4 domain or a domain that is in a separate forest and doesn’t have a forest trust with the source domain. An external trust can go in one or both directions.

Realm trust A realm trust is a trust between a Windows Server 2003 domain and a non-Windows Kerberos realm. A realm trust can be either transitive or nontransitive and can go in one or both directions.

Forest trust A forest trust is a transitive trust that is between separate forests and can be either one or two way. If the forest trust is a two-way trust, then authentication requests made from either forest can reach the other forest.

Windows 2000 uses the Kerberos protocol to secure trusts within a forest. However, for external trusts, Windows 2000 uses the more primitive NT LAN Manager (NTLM) to secure trusts with Windows NT 4 domains as well as between Windows 2000 domains that are in separate forests. Because Windows 2000 uses NTLM to secure trusts between domains that are in separate forests, a trust relationship between a Windows Server 2003 domain and a Windows 2000 domain in a different forest will use NTLM rather than the Kerberos protocol for authentication, while a trust between two Windows Server 2003 forests will use Kerberos.

In the “Designing Trust Models” Design Scenario, you will be evaluating two scenarios and determining the most appropriate trust model and how the trust should be designed.

In the next section, you will learn how to analyze account and password security requirements.

Design Scenario: Designing Trust Models

start example

Scenario 1

ABC Inc. has a single Windows 2003 forest with a root domain named abc.lan. There are three satellite offices that are each configured as Windows NT 4 domains. You have interviewed the IT manager and she stated that all of the satellite offices will be upgrading their domain controllers to Windows Server 2003 within the next two months. You need to design a trust model for the present configuration that will allow the Windows Server 2003 domain and the Windows NT 4 domain to share resources. You must also make sure that the model you design can continue to expose resources to the existing Windows Server 2003 domain after the upgrade with a minimal amount of administrative effort.

  1. Question: How would you configure trusts between the different domains? Answer: You should create a two-way external trust between the Windows Server 2003 domain and each of the three satellite offices. The Windows Server 2003 domain will trust the Windows NT 4 domain, and the NT 4 domain will trust the Windows Server 2003 domain.

Scenario 2

RTM Corporation is a publisher of technical manuals with offices in Phoenix, Philadelphia, and Miami. The Phoenix office has a Windows 2000 Active Directory domain running in Native mode. All of the domain controllers in Phoenix are running Windows 2000 Advanced Server and are up-to-date with patches and service packs. The office in Philadelphia is running a Windows Server 2003 Active Directory domain running in 2003 Native mode. All domain controllers in Philadelphia are running Windows Server 2003. In Miami, the network is running a strict Unix network configured as a Kerberos realm.

You have resources in Philadelphia that need to be accessed in all of the remote locations. Currently, there are no trust relationships of any kind between any of the offices. The RTM corporate headquarters is in Phoenix and should be at the top of the domain namespace. You need to create trusts that provide the maximum level of security for authentication. One of your business partners requires that you use Kerberos as the authentication protocol for all of the trusts.

  1. Question: What tasks must you complete in order to facilitate the authentication requirement of your business partner? Answer: Your first task will be to upgrade all of the domain controllers in Phoenix to Windows Server 2003 and switch the domain to Windows 2003 Nati ve mode. Windows 2000 doesn’t use Kerberos authentication between forests; therefore, you must upgrade Active Directory to 2003 Native mode. You can then create a trust between the Windows Server 2003 domain and the Unix Kerberos realm.

end example


 < Day Day Up > 


Previous page
Table of content
Next page
MCSE. Windows Server 2003 Network Security Design Study Guide Exam 70-298
MCSE: Windows(r) Server 2003 Network Security Design Study Guide (70-298)
ISBN: 0782143296
EAN: 2147483647
Year: 2004
Pages: 168
Authors: Brian Reisman, Mitch Ruebush, Sybex
BUY ON AMAZON
WebLogic: The Definitive Guide
C & Data Structures (Charles River Media Computer Engineering)
Cisco Voice Gateways and Gatekeepers
Introducing Microsoft ASP.NET AJAX (Pro - Developer)
InDesign Type: Professional Typography with Adobe InDesign CS2
Python Standard Library (Nutshell Handbooks) with
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy