http://itfreetraining.com/70-640/introduction-to-active-directory/

http://itfreetraining.com/70-640/index-70-640/

WorkgroupA workgroup is a network setup in which each computer on the network keeps its own store of user names and passwords. In order to access another computer on the network, you need to know a username and password on that computer. This does not scale well. The user will be prompted for a username and password when he or she accesses another computer when the passwords are not in sync.

 

HomeGroupAvailable only in a pure Windows 7 network. HomeGroup provides a simple way to share files and printers in a network. HomeGroup allows Windows 7 computers to be grouped together to share each other’s resources using just one centralized password.

DomainA domain is a logical group of computers that share the same Active Directory database. A domain allows you to manage a group of computers rather than one by one. This is done through the central use of usernames and passwords and the configuration of computers using group policy.

Domain ControllerA Domain Controller is a Windows Server that has Active Directory Services roles configured on it by using a process called promotion. The Domain Controller holds a writeable copy of the Active Directory database. Each domain has at least one Domain Controller but more should be added for redundancy.

Active Directory DatabaseActive Directory uses a database to hold objects like users and settings. The database uses multi-master replication and thus can have multiple copies of the database stored in multiple locations around the world. Each of these copies is writeable. Active Directory automatically fixes any replication conflicts that may occur by using a last writer wins system. That is, the latest update of any object is used when there is a replication conflict.

Domain LinksActive Directory supports multiple domains to be linked together by using a trust. Each domain has a separate Active Directory database but resources can be shared between the different domains.

TreeWhen you have multiple domains in the same namespace (e.g., ITFreeTraining.com,

west.ITFreeTraining.com, and sales.ITFreeTraining.com), they are considered to be in the same tree. The tree also supports multiple levels of domains. For example, you could have west.sales.ITFreeTraining.com and east.ITFreeTraining.com in the same tree.

 

ForestA forest is a collection of one or more domains which may have one or more trees. What makes a forest unique is that it shares the same schema. The schema defines what and how Active Directory objects are stored. The schema defines the database for the whole forest but it should be remembered that each domain in the forest has its own copy of the database based on the schema.

TrustsParent and child domains are automatically linked by a trust. Users in different domains can use these trusts to access resources in another domain assuming that they have access. Trees in the forest are linked together via a trust automatically. This ensures that any users in any domain in the forest can access any resource in the forest to which they have access.

Global Catalog

http://itfreetraining.com/70-640/global-catalog-servers/

In order for users to find resources in any domain in the forest (remember that each domain has a separate database), Domain Controllers can be made into Global Catalog Servers. A Global Catalog Server contains partial information about every object in the forest. Using this information, the user can conduct searches.

Global Catalog Servers contain a partial replica for every object in Active Directory. A Global Catalog Server is used to find objects in any domain in the forest. Any Domain Controller can be made into a Global Catalog Server.

Global Catalog Servers are used to find objects in any domain in the forest but it should be remembered that this does not give the user access to that object. Unless the user has the correct permissions they will not be able to access resources in other domains.

Global Catalog Servers also contain information about groups that span across domains and services that work at the forest level.

How to change a Domain Controller to a Global Catalog Server 04:18

Using the admin tool Active Directory Users and Computers to navigate to the computer account for your Domain Controller. By default this will be located in the Domain Controllers OU.Open the properties for the Domain Controller and select the button NTDS settings.Deselect or select the tickbox Global Catalog. Windows will do the rest.

Reasons to deploy Global Catalog ServersReason 1Domain Controllers generate a security token for a user when they first login. If the user is in a group that spans multi–domains, that Domain Controller will need to contact a Global Catalog to get information about that group.Reason 2If a user logs in using a Universal Principal Name (UPN), that is, they log in using a user name in the form of username@domainname, a Domain Controller will need to access a Global Catalog Server before the log in is completed.Reason 3Global Catalog Servers work as an index to the forest. If you perform any searches on the forest you will need to contact a Global Catalog Server.Reason 4Microsoft recommends that any network that is separated by a Wide Area Network have a Global Catalog Server deployed at that location. This will ensure that users can log on if the Wide Area Network is down. In order for a computer to contact a Global Catalog Server, ports 389 (LDAP) and 3267 (Global Catalog) need to be opened. If these ports are not open then the user will not be able to use the remote Global Catalog Server.Reason 5Some software requires a Global Catalog Server in order to run. Exchange is a big user of the Global Catalog Server. If you have a decent amount of Exchange users on your network, you should consider deploying a Global Catalog Server close to these users.

Reasons not to deploy a Global Catalog ServerGlobal Catalog Servers put more load on the server in the form of searches and lookups from the client.Global Catalogs need to keep their index up to date. This requires more network bandwidth.In order to store the Global Catalog Server, you are required to have additional hard disk space on your server.

Active Directory TrustsTrusts in Active Directory create the pathways for authentication to occur. They are used to link Active Directory domains to each other and also link Active Directory domains to non Microsoft systems.

In order to share resources between two domains, there must a trust or trusts connecting the two domains. Trusts do not provide access they only create a pathway to the destination. Think of trusts like roads: if you need to get to a house and there is a road between you and the house, you can drive to the destination. If the house is locked you won’t be able get in unless you have the key. The same applies with trusts: you need the path to the resource via a trust and permission to access the resource.

Trust direction (One-way or two)Trusts can be one-way or two-way. If the trust is two-way, then the domain on either side can access the other side. If the trust is one-way, the terminology used to describe the trust will usually be “Domain A trusts domain B.” This means that domain A is the trusting domain and domain B will be the trusted domain. For a user in a certain domain to access a resource in another domain, the user needs to be in the trusted domain.

Transitive trustsA transitive trust is when a trust can be extended outside of the two domains in which it was created. A domain connected via a transitive trust can thus access any other domain when there is a path of transitive trusts between that domain and the target domain.

Non-transitive trustA non-transitive trust is a trust that will not extend past the domains it was created with. If domain A was connected to domain B and domain B connected to domain C using non-transitive trusts the following would occur. Domain A and domain B would be able to access each other. Domain B could access domain C. Domain A, however, could not access domain C. Even though the domains are indirectly connected, since the trust is non-transitive the connection will stop once it gets to domain B. In order for domain A and domain C to communicate using non-transitive trust you would need to create another trust between domain A and domain C. Think of it like having to catch two buses to get to your destination but only having one bus ticket.  Transitive and non-transitive trusts will work together. When using both, the pathway through the network will simply stop as soon as a non-transitive trust is travelled over.

Parent child trustWhen you create a child domain, a transitive trust will automatically be created between the parent and child domain that is transitive.

Tree trustWhen you create a new tree in the forest, a tree trust will be created automatically between the root domain (the first domain created in the forest) and the new tree. Each new tree will have a tree trust created between that tree and the root domain. These trusts are transitive and essentially the same as the transitive trusts that link parent and child domains.

Shortcut trustsIf you have two domains that communicate with each other on a regular basis you can create a shortcut trust. This is the same as a transitive trust but is manually created by an administrator to reduce the number of trusts a user needs to travel over to get from one domain to another.

Forest trustA forest trust links two Active Directory forests together. These are created manually by an administrator and are transitive. They essentially work the same as the other trusts except they connect forests together. In order to create this trust, both forests must be at the Windows Server 2003 forest functional level or higher.

Realm TrustA realm trust is used to connect Active Directory with Kerberos V5 realm on a non-Windows

system like Unix. In order to create a realm trust, the domain must be at the Windows Server 2003 functional level or higher. These can be transitive or non-transitive, one-way or two.

External TrustAn external trust is an old one-way trust that is used to connect to systems like Windows NT4. To make them two-way, you can create one trust in each direction. They are non-transitive. They can also be used when it is not possible to create a forest trust, e.g., one or both forest functional levels are not high enough.

Selective authenticationWhen creating a forest trust you have the option to use selective or forest-wide authentication. Certain resources on the network will be open to anyone. These include authenticating from a domain controller. If you use selective authentication you will need to specify which resources the users will have access to. This gives the administrator a lot more control. This setting should be used when creating a forest trust between your company and an external company.

Sid FilteringUser accounts have an area in them called Sid history. When a user account is migrated from one domain to another, Sid history contains the Sid from the old domain. Using Sid history means the user can access resources when permissions were defined using the old Sid. Windows Server 2003 and above will remove Sid history when travelling over a trust. This is done for security reasons and can be disabled.

DemonstrationTo make changes to trusts in Active Directory, open Active Directory Domain and Trusts from administrative tools. This will show all the domains in the forest and also any trusts for those domains, manually created trusts or automatically created trusts. To create a new trust, open the properties for one of the domains and select the tab, “trusts.” At the bottom of the trust tab select the option, “new trust,” to launch the trust wizard.

The trust wizard will in most cases detect the type of trust that you want. If it fails to detect the other side, there may be a DNS issue or firewall issue. In this case you can manually select which trust you want to create. In order to create the trust on the other end, you will be asked for a username and password. If you don’t have this, an administrator on the other side will need to run the wizard on the other side. In some cases, a shared password needs to be agreed upon and entered on each side in order to create the trust.

If you create a forest trust using selective authentication, users traveling over this forest trust will not be able to authenticate from a domain controller by default. In order to allow them to authenticate, they need to be given permissions. To do this, open “Active Directory Users and Computers.” For the option to appear you need to go to “view” and make sure “advanced features” is enabled. To enable access, open the security for the domain controller and ensure that the user has the permission “allowed to authenticate.”

Operation Master Role Flexible Single Master Operations (FSMO, F is sometimes floating ; pronounced Fiz-mo),Active Directory has five operations master roles otherwise known as FSMO roles. These roles are assigned to one Domain Controller to ensure changes happen in only one location at a time. This ensures that the Active Directory database is kept consistent. This video goes through the five operations master roles. At the forest level, there is the Schema Master and Domain Naming Master. At the domain level, the 3 other operational roles are Infrastructure Master, PDC Emulator and RID Master.

chema Master 01:32Domain Naming Master 03:01RID Master 03:53PDC Emulator 07:06Infrastructure Master 11:03

Schema Master (Forest Wide)The Schema Master determines the structure and thus what can be stored in Active Directory. It contains details of every object that can be created and the attributes for that object. For example, if you want to add an attribute to every user in the forest (such as a field with the user’s pay grade in it), you would add an attribute to the schema to accommodate this change. It is important to think carefully before making changes to the schema as changes to the schema can’t be reversed but they can be disabled. If you want to test changes to the schema, create a new forest and make your changes there so the production environment is not affected.

Domain Naming Master (Forest Wide)The Domain Naming Master is responsible for ensuring that two domains in the forest do not have the same name.

Relative ID Master (RID Master)This master role allocates RID pools. A RID is a sequential number that is added to the end of a SID. A SID, or security identifier, is required for every Active Directory object. An example of a SID is shown here:

S-1-5-21-1345645567-543223678-2053447642-1340.

The RID is the last part of the SID, in this case 1340. The RID Master allocates a pool or block of RIDs to a Domain Controller. The Domain Controller uses the RID pool when Active Directory objects are created. The Domain Controller will request a new RID pool before it runs out. However, keep in mind that if you create a lot of Active Directory objects at once, the RID Master will need to be online to allocate new RID pools. If the Domain

Controller runs out of RIDs and can’t contact the RID Master, no objects in Active Directory can be created on that Domain Controller.

PDC (Primary Domain Controller) EmulatorOriginally the PDC Emulator provided a bridge between Windows NT4 Domain Controllers and Windows Server 2000 Domain Controllers. Even if you do not have any NT4 Domain Controllers on your network, it still provides some services.The PDC Emulator forms the root of the time sync hierarchy in your domain. All other Domain Controllers will sync their time from this Domain Controller. Your clients and servers will in turn sync their time from their local Domain Controller. You should configure the PDC to sync its time from an external time source to ensure that it is accurate.When a user enters in a wrong password, the PDC Emulator may be contacted to find out if

this password is in fact an updated password. Password changes are replicated to the PDC Emulator first and thus it is considered the final authority on correct and incorrect passwords.The PDC Emulator is contacted when changes to DFS (Distributed File System) are made. This can be switched off if the load on the PDC Emulator becomes too great.

Infrastructure MasterThe Infrastructure Master is responsible for ensuring that objects that use multiple domain references are kept up to date and consistent. When you are in a single domain you don’t need to worry about this. In a multiple domain environment with Windows Server 2000/2003 Domain Controllers, you must ensure that the Domain Controller that is holding the Infrastructure Master role is not a Global Catalog Server or all of the Domain Controllers will be Global Catalog Servers. If the Domain Controller is a Global Catalog Server this can cause objects in the domain not to update correctly. If you only have Windows Server 2008 Domain Controllers, you don’t need to worry about whether the Infrastructure Master is on a Global Catalog Server or not.

How To PointsThe 3 operations roles at the domain level are PDC Emulator, RID Master and Infrastructure Master.These can be transferred using active users and computers by right clicking the domain and selecting operations master.The 2 forest wide operations roles are Schema Master and Domain Naming Master.To install the Schema Master, run Regsvr32 schmmgmt.dll. Then access it by using the mmc to add the schema snap in.To move the Domain Naming Master role, run Active Directory domains and trusts and right click Active Directory domains and trusts.

http://itfreetraining.com/70-640/moving-operation-roles/

Active Directory has five operational master roles that can be transferred from domain controller to domain controller as required. In some cases the role may not be able to be transferred; for example, if the hardware on the domain controller was to fail, a transfer cannot be made. When this occurs, the operational master role must be seized

Active Directory TrustsTrusts in Active Directory create the pathways for authentication to occur. They are used to link Active Directory domains to each other and also link Active Directory domains to non Microsoft systems.

In order to share resources between two domains, there must a trust or trusts connecting the two domains. Trusts do not provide access they only create a pathway to the destination. Think of trusts like roads: if you need to get to a house and there is a road between you and the house, you can drive to the destination. If the house is locked you won’t be able get in unless you have the key. The same applies with trusts: you need the path to the resource via a trust and permission to access the resource.

Trust direction (One-way or two)Trusts can be one-way or two-way. If the trust is two-way, then the domain on either side can access the other side. If the trust is one-way, the terminology used to describe the trust will usually be “Domain A trusts domain B.” This means that domain A is the trusting domain and domain B will be the trusted domain. For a user in a certain domain to access a resource in another domain, the user needs to be in the trusted domain.

Transitive trustsA transitive trust is when a trust can be extended outside of the two domains in which it was created. A domain connected via a transitive trust can thus access any other domain when there is a path of transitive trusts between that domain and the target domain.

Non-transitive trustA non-transitive trust is a trust that will not extend past the domains it was created with. If

domain A was connected to domain B and domain B connected to domain C using non-transitive trusts the following would occur. Domain A and domain B would be able to access each other. Domain B could access domain C. Domain A, however, could not access domain C. Even though the domains are indirectly connected, since the trust is non-transitive the connection will stop once it gets to domain B. In order for domain A and domain C to communicate using non-transitive trust you would need to create another trust between domain A and domain C. Think of it like having to catch two buses to get to your destination but only having one bus ticket.  Transitive and non-transitive trusts will work together. When using both, the pathway through the network will simply stop as soon as a non-transitive trust is travelled over.

Parent child trustWhen you create a child domain, a transitive trust will automatically be created between the parent and child domain that is transitive.

Tree trustWhen you create a new tree in the forest, a tree trust will be created automatically between the root domain (the first domain created in the forest) and the new tree. Each new tree will have a tree trust created between that tree and the root domain. These trusts are transitive and essentially the same as the transitive trusts that link parent and child domains.

Shortcut trustsIf you have two domains that communicate with each other on a regular basis you can create a shortcut trust. This is the same as a transitive trust but is manually created by an administrator to reduce the number of trusts a user needs to travel over to get from one domain to another.

Forest trustA forest trust links two Active Directory forests together. These are created manually by an administrator and are transitive. They essentially work the same as the other trusts except they connect forests together. In order to create this trust, both forests must be at the Windows Server 2003 forest functional level or higher.

Realm TrustA realm trust is used to connect Active Directory with Kerberos V5 realm on a non-Windows system like Unix. In order to create a realm trust, the domain must be at the Windows Server 2003 functional level or higher. These can be transitive or non-transitive, one-way or two.

External TrustAn external trust is an old one-way trust that is used to connect to systems like Windows NT4. To make them two-way, you can create one trust in each direction. They are non-transitive. They can also be used when it is not possible to create a forest trust, e.g., one or both forest functional levels are not high enough.

Selective authenticationWhen creating a forest trust you have the option to use selective or forest-wide authentication. Certain resources on the network will be open to anyone. These include authenticating from a domain controller. If you use selective authentication you will need to specify which resources the users will have access to. This gives the administrator a lot more

control. This setting should be used when creating a forest trust between your company and an external company.

Sid FilteringUser accounts have an area in them called Sid history. When a user account is migrated from one domain to another, Sid history contains the Sid from the old domain. Using Sid history means the user can access resources when permissions were defined using the old Sid. Windows Server 2003 and above will remove Sid history when travelling over a trust. This is done for security reasons and can be disabled.

DemonstrationTo make changes to trusts in Active Directory, open Active Directory Domain and Trusts from administrative tools. This will show all the domains in the forest and also any trusts for those domains, manually created trusts or automatically created trusts. To create a new trust, open the properties for one of the domains and select the tab, “trusts.” At the bottom of the trust tab select the option, “new trust,” to launch the trust wizard.

The trust wizard will in most cases detect the type of trust that you want. If it fails to detect the other side, there may be a DNS issue or firewall issue. In this case you can manually select which trust you want to create. In order to create the trust on the other end, you will be asked for a username and password. If you don’t have this, an administrator on the other side will need to run the wizard on the other side. In some cases, a shared password needs to be agreed upon and entered on each side in order to create the trust.

If you create a forest trust using selective authentication, users traveling over this forest trust will not be able to authenticate from a domain controller by default. In order to allow them to authenticate, they need to be given permissions. To do this, open “Active Directory Users and Computers.” For the option to appear you need to go to “view” and make sure “advanced features” is enabled. To enable access, open the security for the domain controller and ensure that the user has the permission “allowed to authenticate.”

Flexible Single Master Operations (FSMO in AD)

Windows 2000/2003 Multi-Master Model

A multi-master enabled database, such as the Active Directory, provides the flexibility of allowing changes to occur at any DC in the enterprise, but it also introduces the possibility of conflicts that can potentially lead to problems once the data is replicated to the rest of the enterprise.

One way Windows 2000/2003 deals with conflicting updates is by having a conflict resolution algorithm handle discrepancies in values by resolving to the DC to which changes were written last (that is, "the last writer wins"), while discarding the changes in all other DCs. Although this resolution method may be acceptable in some cases, there are times when conflicts are just too difficult to resolve using the "last writer wins" approach. In such cases, it is best to prevent the conflict from occurring rather than to try to resolve it after the fact.

For certain types of changes, Windows 2000/2003 incorporates methods to prevent conflicting Active Directory updates from occurring.

Windows 2000/2003 Single-Master Model

To prevent conflicting updates in Windows 2000/2003, the Active Directory performs updates to certain objects in a single-master fashion.

In a single-master model, only one DC in the entire directory is allowed to process updates. This is similar to the role given to a primary domain controller (PDC) in earlier versions of Windows (such as Microsoft Windows NT 4.0), in which the PDC is responsible for processing all updates in a given domain.

In a forest, there are five FSMO roles that are assigned to one or more domain controllers. The five FSMO roles are:

Schema Master:

The schema master domain controller controls all updates and modifications to the schema. Once the Schema update is complete, it is replicated from the schema master to all other DCs in the directory. To update the schema of a forest, you must have access to the schema master. There can be only one schema master in the whole forest.

Domain naming master:

The domain naming master domain controller controls the addition or removal of domains in the forest. This DC is the only one that can add or remove a domain from the directory. It can also add or remove cross references to domains in external directories. There can be only one domain naming master in the whole forest.

Infrastructure Master:

When an object in one domain is referenced by another object in another domain, it represents the reference by the GUID, the SID (for references to security principals), and the DN of the object being referenced. The infrastructure FSMO role holder is the DC responsible for updating an object's SID and distinguished name in a cross-domain object reference. At any one time, there can be only one domain controller acting as the infrastructure master in each domain.

Note: The Infrastructure Master (IM) role should be held by a domain controller that is not a Global Catalog server (GC). If the Infrastructure Master runs on a Global Catalog server it will stop updating object information because it does not contain any references to objects that it does not hold. This is because a Global Catalog server holds a partial replica of every object in the forest.

As a result, cross-domain object references in that domain will not be updated and a warning to that effect will be logged on that DC's event log. If all the domain controllers in a domain also host the global catalog, all the domain controllers have the current data, and it is not important which domain controller holds the infrastructure master role.

Relative ID (RID) Master:

The RID master is responsible for processing RID pool requests from all domain controllers in a particular domain. When a DC creates a security principal object such as a user or group, it attaches a unique Security ID (SID) to the object.

This SID consists of a domain SID (the same for all SIDs created in a domain), and a relative ID (RID) that is unique for each security principal SID created in a domain. Each DC in a domain is allocated a pool of RIDs that it is allowed to assign to the security principals it creates.

When a DC's allocated RID pool falls below a threshold, that DC issues a request for additional RIDs to the domain's RID master. The domain RID master responds to the request by retrieving RIDs from the domain's unallocated RID pool and assigns them to the pool of the requesting DC. At any one time, there can be only one domain controller acting as the RID master in the domain.

PDC Emulator:

The PDC emulator is necessary to synchronize time in an enterprise. Windows 2000/2003 includes the W32Time (Windows Time) time service that is required by the Kerberos authentication protocol.

All Windows 2000/2003-based computers within an enterprise use a common time. The purpose of the time service is to ensure that the Windows Time service uses a hierarchical relationship that controls authority and does not permit loops to ensure appropriate common time usage.

The PDC emulator of a domain is authoritative for the domain. The PDC emulator at the root of the forest becomes authoritative for the enterprise, and should be configured to gather the time from an external source.

All PDC FSMO role holders follow the hierarchy of domains in the selection of their in-bound time partner. In a Windows 2000/2003 domain, the PDC emulator role holder retains the following functions:

Password changes performed by other DCs in the domain are replicated preferentially to the PDC emulator.

Authentication failures that occur at a given DC in a domain because of an incorrect password are forwarded to the PDC emulator before a bad password failure message is reported to the user.

Account lockout is processed on the PDC emulator.

Editing or creation of Group Policy Objects (GPO) is always done from the GPO copy found in the PDC Emulator's SYSVOL share, unless configured not to do so by the administrator.

The PDC emulator performs all of the functionality that a Microsoft Windows NT 4.0 Server-based PDC or earlier PDC performs for Windows NT 4.0-based or earlier clients.

This part of the PDC emulator role becomes unnecessary when all workstations, member servers, and domain controllers that are running Windows NT 4.0 or earlier are all upgraded to Windows 2000/2003. The PDC emulator still performs the other functions as described in a Windows 2000/2003 environment. At any one time, there can be only one domain controller acting as the PDC emulator master in each domain in the forest.

Active Directory Trust Relationships

In Active Directory, when two domains trust each other or a trust relationship exists between the domains, the users and computers in one domain can access resources residing in the other domain. The trust relationships supported in Windows Server 2003 are summarized below:

The characteristics of Windows Server 2003 trusts are outlined below:

Trusts can be nontransitive or transitive:o Transitive trusts: With transitive trusts, trust is applicable for each trusted

domain. What this means is where Domain1 trusts Domain2, and Domain2 trusts Domain3; Domain1 would also trust Domain3.

o Nontransitive trust: The defined trust relationship ends with the two domains between which the particular trust is created.

Trusts can be one-way or two-way trusts: o One-way trusts: Based on the direction of the trust, one-way trust can further be

broken into either incoming trust or outgoing trusts. One way trust can be transitive or nontransitive:

Incoming Trust: With incoming trust, the trust is created in the trusted domain, and users in the trusted domain are able to access network resources in the trusting domain or other domain. Users in the other domain cannot however access network resources in the trusted domain.

Outgoing Trust: In this case, users in the other domain able to access network resources in the initiating domain. Users in the initiating domain are not able to access any resources in the other domain.

o Two-way trusts: A two-way trust relationship means that where Domain1 trusts Domain2, then Domain2 trusts Domain1. The trust basically works both ways, and users in each domain are able to access network resources in eitherone of the dolmans. A two-way, transitive trust relationship is the trust that exists between parent domains and child domains in a domain tree. In two-way transitive trust, where Domain1 trusts Domain2 and Domain2 trusts Domain3, then Domain1 would trust Domain3 and Domain3 would trust Domain1.Two-way, transitive trust is the default trust relationship between domains in a tree. It is automatically created and exists between top-level domains in a forest.

Trusts can be implicit or explicit trusts: o Implicit: Automatically created trust relationships are called implicit trust. An

example of implicit trust is the two-way, transitive trust relationship that Active Directory creates between a parent and child domains.

o Explicit: Manually created trust relationships are referred to as explicit trust.

Types of Active Directory Trust Relationships

 

Parent/Child trust: A parent/child trust relationship exists between two domains in Active Directory that have a common contiguous DNS namespace, and who belong to the identical forest. This trust relationship is established when a child domain is created in a domain tree.

Tree Root trust: A tree root trust relationship can be configured between root domains in the same forest. The root domains do not have a common DNS namespace. This trust relationship is established when a new tree root domain is added to a forest.

Shortcut trust: This trust relationship can be configured between two domains in different domain trees but within the same forest. Shortcut trust is typically utilized to improve user logon times.

External trust: External trust relationships are created between an Active Directory domain and a Windows NT4 domain.

Realm trust: A realm trust relationship exists between an Active Directory domain and a non-Windows Kerberos realm.

Forest trust: Forest trust can be created between two Active Directory forests.

Active Directory TrustsTrusts in Active Directory create the pathways for authentication to occur. They are used to link Active Directory domains to each other and also link Active Directory domains to non Microsoft systems.

Previous Video Next Video

Demonstration 08:56

In order to share resources between two domains, there must a trust or trusts connecting the two domains. Trusts do not provide access they only create a pathway to the destination. Think of trusts like roads: if you need to get to a house and there is a road between you and the house, you can drive to the destination. If the house is locked you won’t be able get in unless you have the key. The same applies with trusts: you need the path to the resource via a trust and permission to access the resource.

Trust direction (One-way or two)Trusts can be one-way or two-way. If the trust is two-way, then the domain on either side can access the other side. If the trust is one-way, the terminology used to describe the trust will usually be “Domain A trusts domain B.” This means that domain A is the trusting domain and domain B will be the trusted domain. For a user in a certain domain to access a resource in another domain, the user needs to be in the trusted domain.

Transitive trustsA transitive trust is when a trust can be extended outside of the two domains in which it was created. A domain connected via a transitive trust can thus access any other domain when there is a path of transitive trusts between that domain and the target domain.

Non-transitive trustA non-transitive trust is a trust that will not extend past the domains it was created with. If domain A was connected to domain B and domain B connected to domain C using non-transitive trusts the following would occur. Domain A and domain B would be able to access each other. Domain B could access domain C. Domain A, however, could not access domain C. Even though the domains are indirectly connected, since the trust is non-transitive the connection will stop once it gets to domain B. In order for domain A and domain C to communicate using non-transitive trust you would need to create another trust between domain A and domain C. Think of it like having to catch two buses to get to your destination but only having one bus ticket.  Transitive and non-transitive trusts will work together. When using both, the pathway through the network will simply stop as soon as a non-transitive trust is travelled over.

Parent child trustWhen you create a child domain, a transitive trust will automatically be created between the parent and child domain that is transitive.

Tree trustWhen you create a new tree in the forest, a tree trust will be created automatically between the root domain (the first domain created in the forest) and the new tree. Each new tree will have a tree trust created between that tree and the root domain. These trusts are transitive and essentially the same as the transitive trusts that link parent and child domains.

Shortcut trustsIf you have two domains that communicate with each other on a regular basis you can create a shortcut trust. This is the same as a transitive trust but is manually created by an administrator to reduce the number of trusts a user needs to travel over to get from one domain to another.

Forest trustA forest trust links two Active Directory forests together. These are created manually by an administrator and are transitive. They essentially work the same as the other trusts except they connect forests together. In order to create this trust, both forests must be at the Windows Server 2003 forest functional level or higher.

Realm TrustA realm trust is used to connect Active Directory with Kerberos V5 realm on a non-Windows system like Unix. In order to create a realm trust, the domain must be at the Windows Server 2003 functional level or higher. These can be transitive or non-transitive, one-way or two.

External TrustAn external trust is an old one-way trust that is used to connect to systems like Windows NT4. To make them two-way, you can create one trust in each direction. They are non-transitive. They can also be used when it is not possible to create a forest trust, e.g., one or both forest functional levels are not high enough.

Selective authenticationWhen creating a forest trust you have the option to use selective or forest-wide authentication. Certain resources on the network will be open to anyone. These include authenticating from a domain controller. If you use selective authentication you will need to specify which resources the users will have access to. This gives the administrator a lot more control. This setting should be used when creating a forest trust between your company and an external company.

Sid FilteringUser accounts have an area in them called Sid history. When a user account is migrated from one domain to another, Sid history contains the Sid from the old domain. Using Sid history means the user can access resources when permissions were defined using the old Sid. Windows Server 2003 and above will remove Sid history when travelling over a trust. This is done for security reasons and can be disabled.

DemonstrationTo make changes to trusts in Active Directory, open Active Directory Domain and Trusts from administrative tools. This will show all the domains in the forest and also any trusts for those domains, manually created trusts or automatically created trusts. To create a new trust, open the properties for one of the domains and select the tab, “trusts.” At the bottom of the trust tab select the option, “new trust,” to launch the trust wizard.

The trust wizard will in most cases detect the type of trust that you want. If it fails to detect the other side, there may be a DNS issue or firewall issue. In this case you can manually select which trust you want to create. In order to create the trust on the other end, you will be asked for a username and password. If you don’t have this, an administrator on the other side will need to run the wizard on the other side. In some cases, a shared password needs to be agreed upon and entered on each side in order to create the trust.

If you create a forest trust using selective authentication, users traveling over this forest trust will not be able to authenticate from a domain controller by default. In order to allow them to authenticate, they need to be given permissions. To do this, open “Active Directory Users and Computers.” For the option to appear you need to go to “view” and make sure “advanced features” is enabled. To enable access, open the security for the domain controller and ensure that the user has the permission “allowed to authenticate.”

Group Policy Introduction

What is Group PolicyGroup Policy is a system that allows central control of your client computers. Using Group Policy you can control the user experience. This includes configuring settings for the user and also settings that affect the computer as a whole. Group Policy can also be used to deploy and configure software.

Text Based Config FilesBefore systems like Group Policy were developed, settings were often kept in text files like ini files. In order to make changes to the ini file, software would rewrite the whole file each time a change was made. Text files were not designed for multiple user environments and don’t support rolling back of changes.

RegistryMicrosoft introduced the registry to replace text files like ini files. Editing a single value in the registry is a lot easier than editing a single value in a text file. The problem with the registry is that once a change is made, the changes are permanent until overwritten by another value.

Group PolicyGroup Policy allows changes to be rolled back when they no longer apply. This means that the effects of Group Policy will be reversed when they no longer are being applied. This means users and computers can be moved around Active Directory and thus the Group Policy for these objects may change. Since Group Policy reverses any previously made changes, the administrator does not need to worry about what settings were previously applied.

Group Policy MechanicsGroup Policy is created and stored on a Domain Controller. Group Policy is downloaded from the Domain Controller to the local computer and applied. For this reason Group Policy is a client driven technology. It is up to the client to download Group Policy and apply it. Group Policy is applied by Client Side Extensions (CSE). Each operating system improves and adds CSE’s, meaning new clients can process some Group Policy settings that the older clients may not be able to process. For a list of all the CSE’s installed on a system, refer the following registry setting.HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions

Group Policy ExampleA single Group Policy is divided in two parts called Computer Configuration and User Configuration. Settings that are configured under computer configuration affect the whole computer. Settings configured under user configuration affect only the user that is currently logged in.The user and computer configuration is divided into two parts called Polices and Preferences.  Preferences was a late edition to Windows Server 2008. Microsoft purchased another product called Policy Maker and added this product to Group Policy. The essential different between the two is that Group Policy is mandatory while preferences can often be overwritten by the user.Polices are divide into 3 parts, Software settings, Windows Settings and Administrative Templates. Software settings, like installations, are done in here. Windows Settings are more broad stroke settings having an effect on how the computer operates at a low level rather than specific functions. Administrative templates contain the bulk of the Group Policy settings.

SummaryGroup Policy settings are stored in Active Directory. They are client driven and thus the client is responsible for downloading the group Policy settings and applying them. Group Policy settings are applied to the client by software called client side extensions. If a particular Group Policy settings require a particular client side extension and if that client side extension is not available, the Group policy settings will not be applied to that computer

or user. Group Policy itself is divided primarily into two halves, user configuration and computer configuration. Computer configuration is applied when the computer starts up, while user configuration is applied when the user logs into the computer.