Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

AD Trust

Posted on 2007-08-06
16
Medium Priority
?
827 Views
Last Modified: 2012-06-22
In AD domains and trusts, I can see the incoming and outgoing trusts, but how do I know that thosed domains belong to our forest or to a different forest?
thanks
0
Comment
Question by:jskfan
  • 8
  • 7
16 Comments
 
LVL 9

Expert Comment

by:MSE-dwells
ID: 19640295
By the trust type; parent/child and shortcut trusts exist within the confines of your forest.  External, cross-forest and realm trusts do not.
0
 
LVL 13

Expert Comment

by:ocon827679
ID: 19640313
In AD domains and trusts you will see the domain that you are working with and its associated child domains.  This means that if you go to the domain that is the root domain for the forest you should be able to browse all domains within that forest.

If you look at a trust and see a domain that is not listed in the above scenario, then you can assume that the particular domain in question is either a root domain from another forest (forest trust) or a domain from another forest (external trust).  
0
 

Author Comment

by:jskfan
ID: 19640765
in the trust type all I see is external.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 9

Expert Comment

by:MSE-dwells
ID: 19640869
... then they are in separate forests.
0
 

Author Comment

by:jskfan
ID: 19641144
if they are in the same forest, how would they show up?
0
 
LVL 9

Expert Comment

by:MSE-dwells
ID: 19641233
Parent/child/shortcut
0
 

Author Comment

by:jskfan
ID: 19645132
an example please.
0
 
LVL 9

Expert Comment

by:MSE-dwells
ID: 19645307
I'm not sure I know what you're asking for.  The types provided are finite, there are no others.  Whatever you see in the interface is what you've currently got.  Perhaps you want to know when it is you see each of these trust types, if so, that's related to the forest's configuration -

Parent/child: this is a trust created automatically by the system when a child domain is added.  A child domain is one that is created using DCpromo, joined to an existing forest and whose name is subordinate to a domain that already exists.  For example, if an existing domain was named jskfan.lab and you added a new child domain and named it test, the resulting domain name would be named test.jskfan.lab and a parent/child trust relationship would be established between the two automatically.

Shortcut trust: this is a manually created trust that is designed to reduce the number of authentication hops between any two domains within the same forest
0
 

Author Comment

by:jskfan
ID: 19645559
let's  says there is microsofot.com tree (forest), there is another forest named example.com.
If Microsoft decides to acquire example.com forest by keeping the name as is, not under Microsoft.com, in this case there will be a trust between the 2 forests. So if we go AD Domain and Trust in Microsoft.com how is the trust going to show regarding example.com?
0
 
LVL 9

Expert Comment

by:MSE-dwells
ID: 19645633
Forest or external -- depending upon DNS configuration, each of the OS' involved and each forest's functional levels.
0
 

Author Comment

by:jskfan
ID: 19646584
clear example please?
0
 
LVL 9

Expert Comment

by:MSE-dwells
ID: 19646681
My previous posts are as clear as I know how to make them.  If you have a specific question, feel free to ask it.  

I find your choice of language abrupt and ungrateful.
0
 

Author Comment

by:jskfan
ID: 19646789
Sorry if you think I am ungrateful. I am just busy doing other things at the same time, this is why sometimes my comments are short but I think I have expressed what I need.

I wanted you to tell me how the trust should show up regarding the following example:



let's  says there is microsofot.com tree (forest), there is another forest named example.com.
If Microsoft decides to acquire example.com forest by keeping the name as is, not under Microsoft.com, in this case there will be a trust between the 2 forests. So if we go AD Domain and Trust in Microsoft.com how is the trust going to show regarding example.com?
0
 
LVL 9

Expert Comment

by:MSE-dwells
ID: 19646833
Understood on the 'busy'.

I answered your question directly, you asked -

>>So if we go AD Domain and Trust in Microsoft.com how is the trust going to show regarding example.com?

... to which I replied "Forest or external"

The variables that dictate which of those two it is was provided as extra info.  Is that the piece you didn't understand?
0
 

Author Comment

by:jskfan
ID: 19647037
if it shows Forest that means it's internal to Microsoft.com forest even though there is non contiguous name.
if it shows External that means it's externall to Microsoft.com forest and there is only a trust between the 2 forests.

Is that what you meant?


0
 
LVL 9

Accepted Solution

by:
MSE-dwells earned 2000 total points
ID: 19647669
I think I see what you're asking now.  Let's say it out loud: you're looking for the definition of and the difference between external and cross-forest trusts.  Assuming I interpreted that correctly -

* both external and cross-forest trusts exist between two domains in two separate forests
* external trusts are non-transitive meaning that if domain A trusts domain B and domain B trusts domain C, non-transitive means A does NOT trust C
* forest trusts are transitive
    - if domain A trusts domain B and domain B trusts domain C, transitive means A DOES trust C because B does
      = but ONLY if domain C is in domain B's forest (i.e. if forest B trusts forest Z, A does NOT trust that)

External trusts:
  * are 1 way (a 2-way trust is really two one-ways between the same-two domains)
  * use the NTLM authentication protocol (as opposed to Kerberos)
  * are non-transitive
  * external trusts are supported by Windows NT, Windows 2000 and Windows 2003 (Longhorn too)
  * external trusts can be created between any two domains in either forest or an NT domain(s)

Forest trusts:
  * are 1-way (a 2-way forest trust is really two one-ways between the same-two forest root domains)
  * use the Kerberos authentication (and support NTLM when necessary)
  * must be created between the two forest root domains at both ends
  * require Windows 2003 DCs or later (per the functional level requirement below)
  * require that DNS name resolution be configured such that the DNS namespace representing either forest is resolvable to the other forest
  * require the forest functional level of the forests to be 2 on both sides
    - functional levels are explained in detail here -

http://technet2.microsoft.com/windowsserver/en/library/da255f53-ae6c-4af8-80f1-9b3c046022311033.mspx?mfr=true

So, the term 'forest' in this context does NOT mean it's in the same forest, rather, it represents a trust-type as outlined above.  Your definition of external is very close but external trusts are between only 2 domains in 2 forests, not between the entire forests.

   
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question