Technoblogical
Providing training since last Tuesday
06.07.2010
Domain Trusts
Categories: Chronological

When a computer is in a workgroup it manages its own authentication and security. When it joins a domain, it establishes a trust with the domain controller. This allows users to be authenticated to either its own security accounts manager (SAM) database and its own local identity store or it confirms authentication with authentication services and identity store of the domain controller. This service is performed by Active Directory. Then local resources can be securely administered to domain accounts and groups. All members of the domain establish a similar trust for the accessing common resources.

Trusts in domains operate in a similar fashion. One domain will trust the second domain to authenticate accounts. There are two domains in every relationship, the trusted domain and the trusting domain. The trusted domain will have an identity store that is trusted to authenticate user in the trusted domain. The user then can log into the trusting domain and still authenticate and access resources.

There are some important terms to understand about trusts.

  • Transitivity: If the first domain trusts the second domain, and the second domain trusts the third domain, does the first domain trust the third domain? If it does, the links are transitive. If the first domain does not automatically trust the third domain, you must create another trust between the first and third domain.
  • Direction: Trusts sometimes only work one way. Using the previous example, it is possible that the first domain trusts the second domain, but the second domain does not trust the first domain. First domain users can not access resources in the second domain, but second domain users can access first domain resources.
  • Automatic or Manual: Some trusts are created automatically. Some require manual creation.
  • One-way or two-way: The trusts may only work in one direction. Domain A might have a trust where it trusts Domain B, but Domain B doesn’t have to trust Domain A. This means users from Domain B can sign into Domain A, but users from Domain B can’t sign into Domain A.
  • Trusted and trusting domain: Users in domain A wish to access resources in domain B. They are able to do so because there is a trust between the two domains. Domain A is the trusted domain. Domain B is the trusting domain. Domain B is trusting domain A to verify the users.

Within a forest all domains are trusted. There is usually a root domain. The root domain becomes the default reference which all other domains refer. It becomes a central point of reference for authentication. It will know who to consult for authentication. Effectively all links in a forest become transitive. Any automatically created trust should never be deleted. Trusts to other forests and domains outside the forest must be manually created.

There are four kinds of manual trusts. Manual trusts are trusts that are created by a person. A computer that joins a domain is not a manual trust. It is automatically created between the computer and the domain controller. There are four kinds of manual trusts.

  • Shortcut Trusts: It is possible to assign a trust from the parent of one domain directly to the child of another domain. This may be a one-way or two-way trust. It is always transitive.
  • External Trusts: A trust that is created to a domain outside the forest. External trusts are only one-way and non-transitive. Even attempting to create a two-way external trust, you are merely creating two one-way trusts. Microsoft allows the options of SID filtering (domain quarantine) and selective authentication.
  • Realm trusts: Microsoft allows cross-platform interoperability on other Kerberos v5 platforms. This requires the account to be created in Active Directory and the name be mapped to the account in the other domain. This is done because non-Windows Kerberos domains do not contain all the authorization data required by a Windows domain. Realm trusts are non-transitive by default.
  • Forest Trust: A forest trust is a trust that is built between two forests. This allows a trust between any domain in one forest to any domain in a second forest assuming the trust is a two-way trust. Forest trusts are not transitive. In a Windows domain, the forest functional level must be Windows Server 2003 or later. Also there are specific DNS requirements for this cross-forest trust. You have to create domain forwarders on your DNS servers to forward to the new domain.

A domain trust does not give access to resources. It is merely a method of authentication. That means domain administrators of the other domain are not domain administrators on your domain. This allows you to modify ACLs on your domain to include users that are not authenticated specifically to your domain. There are some occasions where they may be able to access resources because that resource is available to the Authenticated Users group. There are other groups that are similar to the Authenticated Users group.

SID filtering (domain quarantine) is enabled by default on all the external and forest trusts of a Windows domain. Every user, computer, and group have a specialized identifier attached to them called the SID. Every one is unique. There is also a descriptor on every account called sIDHistory. This has the possibility to record every SID that has been associated with the account. This is useful when using the Active Directory Migration Tool. When users are migrated from one domain to another, it is possible associate the old SIDs to the account in the new domain. Therefore it is possible to have users only have access to resources due to their sIDHistory and they are unaware of it. SID filtering strips the sIDHistory from the user. SID filtering is enabled by default on trusts that lead to external domains and forests.

When a trust is built between two forests there are two options for authentication. There is selective authentication and domain-wide authentication. With domain-wide authentication, all users in the trusted domain have are authenticated to the trusting domain. They might have access to a great deal of resources in the trusting domain simply because all authenticated users have access to those resources. With selective authentication, it is possible to specify to which resources a user may authenticate. This removes the trust from the domain, and places the trust on individual accounts. In short is give the permission for user A to authenticate to file server B even though they are in different domains. This feature is accessible when Active Directory Users and Computers is viewed in advanced mode. By looking at the properties of the computer account and selecting the security tab, you’ll see a security permission listed as “Allowed to authenticate.”

Comments are closed.