Solved

Trust Relationship within Active Directory

Posted on 2010-08-31
6
941 Views
Last Modified: 2012-08-13
I read below  3 artices about Trust Relatioship within Active Directory

(a) http://www.windowsnetworking.com/articles_tutorials/Trust-Relationships-Windows-   Server-2003-Environment.html
(b) http://www.tech-faq.com/understanding-trust-relationships.html

(c) http://searchwindowsserver.techtarget.com/tip/0,289483,sid68_gci1111920,00.html


(a) article is easier to understand but (b) & (C)  articles make me confused .



I tried to summarize the " Trust Relationship within Active Directory "

Correct me if I am wrong...

Based on Wins Server 2003 Trust Relationship only :-

(1) By default , every domain in the same forest will trust each other .
      Domain Administrator from Domain#A   CANNOT access the Domain#B 's resources like
      files,printers etc .
      Howerver , only the member of  Enterprise Admin Group ( Forest level administrator) of    
      Domain#A   CAN  access the Domain#B 's resources like files etc
      ==> Am I right at this point ????

(2) Only member of Enterprise Admin Group ( forest level )  CAN  create External Trust
      between  2 forests . We cannot use domain administrator to create this external trust ??
      ==> Am I right  ???

(3) Only  member of Enterprise Admin Group ( forest level )  CAN  create the trust between
      Domiain#A  ( from forest#A)  and Domain#B ( from forest#B) and after this external trust
      is  created  the domain administrator of  Domain#A  can access Domain#B's resources
 
      ==> at this point , we do not need to use Enterprise Admin Group to access other domain's
             resources , we only need to use domain administrator to access other domain's      
             resource ( the trust between 2 forests )  ==> Am I right ???  
 
(4)
For (b) article I read , it sound to me even the domain administrator can access other domain's resources  if  the domains are in the same forest ????
==> Please clarify ...

(5)
For (c) article I read , it sound to me any user from and domain can access other domain resources as long as they are in the same forest ( because the trust relationship is created by default in Server 2003 network )  ???
==> Please clarify ......


A lot of my  questions are asking whether the member of  Enterprise Admin Group , or , Domain Administrator can access other domain's resources ???


Please help to clarify from (1)  to (5) . Thanks .
0
Comment
Question by:kcn
  • 3
  • 2
6 Comments
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 333 total points
ID: 33571129
1 = Active Directory automatically creates a trust relationship between the new child domain, and the domain directly above it in the domain namespace hierarchy. What this means is that the trust relationship exists between those domains that have a common contiguous DNS namespace and who are part of the same forest. Parent-child trust enables authentication requests of child domains to be passed through the parent domain for authentication. In addition, when a new domain is added to the tree, trust relationships are created with each domain in the tree. This means that network resources in the individual domains of the tree can be accessed by all other domains in the tree.
So the answer is Domain not be able to access resources in domain b.

2= You need to belong to the Enterprise Admins groups in each forest that you want to create forest trust between. In addition to this, the domains within each forest and each particular forest have to be raised to the Windows Server 2003 functional level
So the answer is yes you need to be part of the Enterprise Admins group to create a forest relationship

3= You can create a one or two-way forest trust. If you were to create a two-way forest trust then both domains in each forest would be able access resources. You would also be able to create Selective Authentication where only certain users have access to reosuces on the other Forest. Or you can do a Forest-Wide authentication which will give all users 2way access to resouces in both forests.

4= When you try and access resources from the other domain it has to first go through the parent domain and then authenticate to domain b. You can also create shortcuts so that this will speed up the authentication process. You can make one-way or two-way shortcuts.

0
 

Author Comment

by:kcn
ID: 33571470
Hi,

From your (1) answer, last sentence , read as " So the answer is Domain not be able to access resources in domain b."

==> Are you saying that  user from domain#A can or cannot access domain#B' resources  ???

Can I sumarize in this way :-

The user from Domain#A can access the Domain#B 's resources , as long as the user from domain#A be granted the permission ( authorization ) to access the resource in domain#B .

And the article (a) that I read , mean , even there is no permission is granted to other domain's user , as long as  other domain user able to use "Enterprise Admin Group " , then he/she can access any domain's resources even the other domains' never give permission to him/her to access their resources .

==> Is my summary make sense ???
0
 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 333 total points
ID: 33571622
Users from domain a will be able to access resouces on domain b where "authenticated users" have read/write access. You will still need to add the group or user from the corresponding domainA to have access in domainB.
0
 
LVL 12

Assisted Solution

by:Rant32
Rant32 earned 167 total points
ID: 33572454
The Enterprise Admins group becomes a member of the domain-local Administrators group by default, when creating the child domain. That means, the root domain's Administrator account has full access to all domain controllers in the subdomains, but not the member servers in subdomains, unless specifically granted access.
0
 

Author Comment

by:kcn
ID: 33575370
Rant32 ,

Understand your point . If there is a SINGLE tree domain , the root domain's administrator can by default access any resources on their child domain without need any permission granting  .

How about in Forest network , where 2 Domain Trees are exist ??  
Which account has by default right to access any resources from any domains within the SAME forest ?????  ==> Please advise which type account has this default right   ????
0
 

Author Comment

by:kcn
ID: 33603576
Spec01 or Rant32 ,

Anyone can answer my last post ?
0

Join & Write a Comment

Companies that have implemented Microsoft’s Active Directory need to ensure that the Active Directory is configured and operating properly. If there are issues found and not resolved, it eventually leads the components to fail or stop working and fi…
Synchronize a new Active Directory domain with an existing Office 365 tenant
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now