Solved

Trust Relationship within Active Directory

Posted on 2010-08-31
6
954 Views
Last Modified: 2012-08-13
I read below  3 artices about Trust Relatioship within Active Directory

(a) http://www.windowsnetworking.com/articles_tutorials/Trust-Relationships-Windows-   Server-2003-Environment.html
(b) http://www.tech-faq.com/understanding-trust-relationships.html

(c) http://searchwindowsserver.techtarget.com/tip/0,289483,sid68_gci1111920,00.html


(a) article is easier to understand but (b) & (C)  articles make me confused .



I tried to summarize the " Trust Relationship within Active Directory " 

Correct me if I am wrong...

Based on Wins Server 2003 Trust Relationship only :-

(1) By default , every domain in the same forest will trust each other .
      Domain Administrator from Domain#A   CANNOT access the Domain#B 's resources like
      files,printers etc .
      Howerver , only the member of  Enterprise Admin Group ( Forest level administrator) of    
      Domain#A   CAN  access the Domain#B 's resources like files etc
      ==> Am I right at this point ????

(2) Only member of Enterprise Admin Group ( forest level )  CAN  create External Trust
      between  2 forests . We cannot use domain administrator to create this external trust ??
      ==> Am I right  ???

(3) Only  member of Enterprise Admin Group ( forest level )  CAN  create the trust between
      Domiain#A  ( from forest#A)  and Domain#B ( from forest#B) and after this external trust
      is  created  the domain administrator of  Domain#A  can access Domain#B's resources
 
      ==> at this point , we do not need to use Enterprise Admin Group to access other domain's
             resources , we only need to use domain administrator to access other domain's      
             resource ( the trust between 2 forests )  ==> Am I right ???  
 
(4)
For (b) article I read , it sound to me even the domain administrator can access other domain's resources  if  the domains are in the same forest ????
==> Please clarify ...

(5)
For (c) article I read , it sound to me any user from and domain can access other domain resources as long as they are in the same forest ( because the trust relationship is created by default in Server 2003 network )  ???
==> Please clarify ......


A lot of my  questions are asking whether the member of  Enterprise Admin Group , or , Domain Administrator can access other domain's resources ???


Please help to clarify from (1)  to (5) . Thanks .
0
Comment
Question by:kcn
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 333 total points
ID: 33571129
1 = Active Directory automatically creates a trust relationship between the new child domain, and the domain directly above it in the domain namespace hierarchy. What this means is that the trust relationship exists between those domains that have a common contiguous DNS namespace and who are part of the same forest. Parent-child trust enables authentication requests of child domains to be passed through the parent domain for authentication. In addition, when a new domain is added to the tree, trust relationships are created with each domain in the tree. This means that network resources in the individual domains of the tree can be accessed by all other domains in the tree.
So the answer is Domain not be able to access resources in domain b.

2= You need to belong to the Enterprise Admins groups in each forest that you want to create forest trust between. In addition to this, the domains within each forest and each particular forest have to be raised to the Windows Server 2003 functional level
So the answer is yes you need to be part of the Enterprise Admins group to create a forest relationship

3= You can create a one or two-way forest trust. If you were to create a two-way forest trust then both domains in each forest would be able access resources. You would also be able to create Selective Authentication where only certain users have access to reosuces on the other Forest. Or you can do a Forest-Wide authentication which will give all users 2way access to resouces in both forests.

4= When you try and access resources from the other domain it has to first go through the parent domain and then authenticate to domain b. You can also create shortcuts so that this will speed up the authentication process. You can make one-way or two-way shortcuts.

0
 

Author Comment

by:kcn
ID: 33571470
Hi,

From your (1) answer, last sentence , read as " So the answer is Domain not be able to access resources in domain b."

==> Are you saying that  user from domain#A can or cannot access domain#B' resources  ???

Can I sumarize in this way :-

The user from Domain#A can access the Domain#B 's resources , as long as the user from domain#A be granted the permission ( authorization ) to access the resource in domain#B .

And the article (a) that I read , mean , even there is no permission is granted to other domain's user , as long as  other domain user able to use "Enterprise Admin Group " , then he/she can access any domain's resources even the other domains' never give permission to him/her to access their resources .

==> Is my summary make sense ???
0
 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 333 total points
ID: 33571622
Users from domain a will be able to access resouces on domain b where "authenticated users" have read/write access. You will still need to add the group or user from the corresponding domainA to have access in domainB.
0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 
LVL 12

Assisted Solution

by:Rant32
Rant32 earned 167 total points
ID: 33572454
The Enterprise Admins group becomes a member of the domain-local Administrators group by default, when creating the child domain. That means, the root domain's Administrator account has full access to all domain controllers in the subdomains, but not the member servers in subdomains, unless specifically granted access.
0
 

Author Comment

by:kcn
ID: 33575370
Rant32 ,

Understand your point . If there is a SINGLE tree domain , the root domain's administrator can by default access any resources on their child domain without need any permission granting  .

How about in Forest network , where 2 Domain Trees are exist ??  
Which account has by default right to access any resources from any domains within the SAME forest ?????  ==> Please advise which type account has this default right   ????
0
 

Author Comment

by:kcn
ID: 33603576
Spec01 or Rant32 ,

Anyone can answer my last post ?
0

Featured Post

Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

635 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question