1 / 22

Active Directory Trusts

Learn how to create and manage Active Directory trusts, including forest root trusts, shortcut trusts, and external realm trusts. Understand the key terms and definitions related to trusts and discover the various trust options available.

pmcmullen
Download Presentation

Active Directory Trusts

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 2.4 Plan Active Directory TestOut Server Pro 2016: Identity Active Directory Trusts

  2. Section Skill Overview • Create and manage Active Directory trusts. Create a forest root trust. Design trusts. Create a shortcut trust. TestOut Server Pro 2016: Identity

  3. Key Terms • Shortcut External Realm Direction of Trust Security Identifier (SID) Direction of Resource Access Transitivity TestOut Server Pro 2016: Identity

  4. Key Definitions • Shortcut: Shortcut trusts improve user logon times between two domains within a forest by reducing the amount of Kerberos authentication traffic on the network. Shortcut trusts are transitive and use Kerberos (a protocol for authentication). External: External trusts provide access to resources located on a Windows NT 4.0 domain or a domain located in a forest that is not joined by a forest trust. External trusts are non-transitive and use NT LAN Manager authentication (NTLM) protocols. • Realm: Realm trusts form a trust relationship between a non-Windows Kerberos realm and a Windows Server 2008 or later domain. Realm trusts can be transitive or non-transitive and use Kerberos. TestOut Server Pro 2016: Identity

  5. Key Definitions • Direction of Trust: The direction of the arrow identifies the direction of trust. For example, if Domain A trusts Domain B, the arrow would point from Domain A to Domain B. Security Identifier (SID): A security identifier (SID) is a unique value of variable length used to identify each account. Direction of Resource Access: Resource access is granted opposite of the direction of trust. For example, if Domain A trusts Domain B, users in Domain B have access to resources in Domain A. Users in the trusted domain have access to resources in the trusting domain. Transitivity: Transitivity defines whether trust between domains flows or is inherited to other trusted domains. TestOut Server Pro 2016: Identity

  6. Trusts • Trusts allow users to access resources in another domain. I need access to your share User Share Domain Corp Domain ACME TestOut Server Pro 2016: Identity

  7. Trusts • Trusts allow users to access resources in another domain. • Trust options include: • One-way or two-way Domain Corp trusts Domain ACME User Share Domain Corp Domain ACME TestOut Server Pro 2016: Identity

  8. Trusts • Trusts allow users to access resources in another domain. • Trust options include: • One-way or two-way • Incoming or outgoing • Transitive and nontransitive Domain Corp trusts Domain ACME OutgoingTrust IncomingTrust User Share Domain Corp Domain ACME TestOut Server Pro 2016: Identity

  9. Trusts • Trusts allow users to access resources in another domain • Trust options include • One-way or two-way • Incoming or outgoing • Transitive • Nontransitive A trusts B B trusts C A trusts Band C B trusts C Domain C Domain C Domain A Domain A Domain B Domain B TestOut Server Pro 2016: Identity

  10. Types of Trusts • Automatic • Cross-forest • External • Realm • Shortcut TestOut Server Pro 2016: Identity

  11. Automatic Transitive Trusts CorpNet.com Forest Created when a new domainis added to a domain treeor forest root domain. Two-way Transitive CorpNet.com NetCorp.com Two-wayTransitive West.CorpNet.com TestOut Server Pro 2016: Identity

  12. Cross-Forest Trusts • Are manual trusts created between two forests. • Must have a forest functional levels of Windows 2003 or higher. Forest C Forest A A C D.C B.A TestOut Server Pro 2016: Identity

  13. Active Directory Trusts • Are manual trusts created between two forests. • Must have a forest functional levels of Windows 2003 or higher. • Are nontransitive. No trust between domains A and C Forest A Forest B Forest C B A C B trusts C A trusts B C.A B.A TestOut Server Pro 2016: Identity

  14. Cross-Forest Trust Authentication • Forest-wide: • Permits unrestricted access by any users in the specified forest to all available shared resources. • Enabled by default. • Selective: • Allows selected users and groups in remote forest to access resources in local forest. • Must assign the Allowed to Authenticate right. TestOut Server Pro 2016: Identity

  15. Cross-Forest Trust • Domain names are added to the Name Suffix Routing List at the creation of the trust. • Domain names are removed to exempt a trust. • New domains added after the trust creation must be added manually to the routing list. TestOut Server Pro 2016: Identity

  16. External and Realm Trusts • External Trust • A nontransitive trust between domains in different forests Forest C Forest A A C D.C B.A TestOut Server Pro 2016: Identity

  17. External and Realm Trusts • External Trust • A nontransitive trust between domains in different forests • Realm Trust • A nontransitive trust between an Active Directory domain and a Kerberos V5 realm. TestOut Server Pro 2016: Identity

  18. Active Directory Trusts Forest A • A transitive trust between domains in the tree or forest. • Used to shorten the trust path. • Not required to traverse multiple trusts. A B.A D.A Shortcut Trust C.B.A E.D.A TestOut Server Pro 2016: Identity

  19. Summary • Trust Types • Automatic • Cross-forest • External • Realm • Shortcut TestOut Server Pro 2016: Identity

  20. In-Class Practice Do the following labs: • 2.4.3 Create a Forest Root Trust 2.4.7 Design Trusts 2.4.8 Create a Shortcut Trust TestOut Server Pro 2016: Identity

  21. Class Discussion • Which types of trusts are created automatically for domains within a forest? What are the characteristics of automatically created domain trusts? What are the characteristics of trusts between forests? When can forest trusts be used? When must you create an external trust? What advantages does selective authentication provide to system administrators for securing resources in a forest? TestOut Server Pro 2016: Identity

  22. Class Discussion • How do shortcut trusts improve user logon times between two domains within a forest? What are the characteristics of an external trust? When should you use a realm trust? TestOut Server Pro 2016: Identity

More Related