220 likes | 257 Views
Learn how to create and manage Active Directory trusts, including forest root trusts, shortcut trusts, and external realm trusts. Understand the key terms and definitions related to trusts and discover the various trust options available.
E N D
2.4 Plan Active Directory TestOut Server Pro 2016: Identity Active Directory Trusts
Section Skill Overview • Create and manage Active Directory trusts. Create a forest root trust. Design trusts. Create a shortcut trust. TestOut Server Pro 2016: Identity
Key Terms • Shortcut External Realm Direction of Trust Security Identifier (SID) Direction of Resource Access Transitivity TestOut Server Pro 2016: Identity
Key Definitions • Shortcut: Shortcut trusts improve user logon times between two domains within a forest by reducing the amount of Kerberos authentication traffic on the network. Shortcut trusts are transitive and use Kerberos (a protocol for authentication). External: External trusts provide access to resources located on a Windows NT 4.0 domain or a domain located in a forest that is not joined by a forest trust. External trusts are non-transitive and use NT LAN Manager authentication (NTLM) protocols. • Realm: Realm trusts form a trust relationship between a non-Windows Kerberos realm and a Windows Server 2008 or later domain. Realm trusts can be transitive or non-transitive and use Kerberos. TestOut Server Pro 2016: Identity
Key Definitions • Direction of Trust: The direction of the arrow identifies the direction of trust. For example, if Domain A trusts Domain B, the arrow would point from Domain A to Domain B. Security Identifier (SID): A security identifier (SID) is a unique value of variable length used to identify each account. Direction of Resource Access: Resource access is granted opposite of the direction of trust. For example, if Domain A trusts Domain B, users in Domain B have access to resources in Domain A. Users in the trusted domain have access to resources in the trusting domain. Transitivity: Transitivity defines whether trust between domains flows or is inherited to other trusted domains. TestOut Server Pro 2016: Identity
Trusts • Trusts allow users to access resources in another domain. I need access to your share User Share Domain Corp Domain ACME TestOut Server Pro 2016: Identity
Trusts • Trusts allow users to access resources in another domain. • Trust options include: • One-way or two-way Domain Corp trusts Domain ACME User Share Domain Corp Domain ACME TestOut Server Pro 2016: Identity
Trusts • Trusts allow users to access resources in another domain. • Trust options include: • One-way or two-way • Incoming or outgoing • Transitive and nontransitive Domain Corp trusts Domain ACME OutgoingTrust IncomingTrust User Share Domain Corp Domain ACME TestOut Server Pro 2016: Identity
Trusts • Trusts allow users to access resources in another domain • Trust options include • One-way or two-way • Incoming or outgoing • Transitive • Nontransitive A trusts B B trusts C A trusts Band C B trusts C Domain C Domain C Domain A Domain A Domain B Domain B TestOut Server Pro 2016: Identity
Types of Trusts • Automatic • Cross-forest • External • Realm • Shortcut TestOut Server Pro 2016: Identity
Automatic Transitive Trusts CorpNet.com Forest Created when a new domainis added to a domain treeor forest root domain. Two-way Transitive CorpNet.com NetCorp.com Two-wayTransitive West.CorpNet.com TestOut Server Pro 2016: Identity
Cross-Forest Trusts • Are manual trusts created between two forests. • Must have a forest functional levels of Windows 2003 or higher. Forest C Forest A A C D.C B.A TestOut Server Pro 2016: Identity
Active Directory Trusts • Are manual trusts created between two forests. • Must have a forest functional levels of Windows 2003 or higher. • Are nontransitive. No trust between domains A and C Forest A Forest B Forest C B A C B trusts C A trusts B C.A B.A TestOut Server Pro 2016: Identity
Cross-Forest Trust Authentication • Forest-wide: • Permits unrestricted access by any users in the specified forest to all available shared resources. • Enabled by default. • Selective: • Allows selected users and groups in remote forest to access resources in local forest. • Must assign the Allowed to Authenticate right. TestOut Server Pro 2016: Identity
Cross-Forest Trust • Domain names are added to the Name Suffix Routing List at the creation of the trust. • Domain names are removed to exempt a trust. • New domains added after the trust creation must be added manually to the routing list. TestOut Server Pro 2016: Identity
External and Realm Trusts • External Trust • A nontransitive trust between domains in different forests Forest C Forest A A C D.C B.A TestOut Server Pro 2016: Identity
External and Realm Trusts • External Trust • A nontransitive trust between domains in different forests • Realm Trust • A nontransitive trust between an Active Directory domain and a Kerberos V5 realm. TestOut Server Pro 2016: Identity
Active Directory Trusts Forest A • A transitive trust between domains in the tree or forest. • Used to shorten the trust path. • Not required to traverse multiple trusts. A B.A D.A Shortcut Trust C.B.A E.D.A TestOut Server Pro 2016: Identity
Summary • Trust Types • Automatic • Cross-forest • External • Realm • Shortcut TestOut Server Pro 2016: Identity
In-Class Practice Do the following labs: • 2.4.3 Create a Forest Root Trust 2.4.7 Design Trusts 2.4.8 Create a Shortcut Trust TestOut Server Pro 2016: Identity
Class Discussion • Which types of trusts are created automatically for domains within a forest? What are the characteristics of automatically created domain trusts? What are the characteristics of trusts between forests? When can forest trusts be used? When must you create an external trust? What advantages does selective authentication provide to system administrators for securing resources in a forest? TestOut Server Pro 2016: Identity
Class Discussion • How do shortcut trusts improve user logon times between two domains within a forest? What are the characteristics of an external trust? When should you use a realm trust? TestOut Server Pro 2016: Identity