Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Trust Relationship within Active Directory

Posted on 2010-08-31
6
Medium Priority
?
956 Views
Last Modified: 2012-08-13
I read below  3 artices about Trust Relatioship within Active Directory

(a) http://www.windowsnetworking.com/articles_tutorials/Trust-Relationships-Windows-   Server-2003-Environment.html
(b) http://www.tech-faq.com/understanding-trust-relationships.html

(c) http://searchwindowsserver.techtarget.com/tip/0,289483,sid68_gci1111920,00.html


(a) article is easier to understand but (b) & (C)  articles make me confused .



I tried to summarize the " Trust Relationship within Active Directory " 

Correct me if I am wrong...

Based on Wins Server 2003 Trust Relationship only :-

(1) By default , every domain in the same forest will trust each other .
      Domain Administrator from Domain#A   CANNOT access the Domain#B 's resources like
      files,printers etc .
      Howerver , only the member of  Enterprise Admin Group ( Forest level administrator) of    
      Domain#A   CAN  access the Domain#B 's resources like files etc
      ==> Am I right at this point ????

(2) Only member of Enterprise Admin Group ( forest level )  CAN  create External Trust
      between  2 forests . We cannot use domain administrator to create this external trust ??
      ==> Am I right  ???

(3) Only  member of Enterprise Admin Group ( forest level )  CAN  create the trust between
      Domiain#A  ( from forest#A)  and Domain#B ( from forest#B) and after this external trust
      is  created  the domain administrator of  Domain#A  can access Domain#B's resources
 
      ==> at this point , we do not need to use Enterprise Admin Group to access other domain's
             resources , we only need to use domain administrator to access other domain's      
             resource ( the trust between 2 forests )  ==> Am I right ???  
 
(4)
For (b) article I read , it sound to me even the domain administrator can access other domain's resources  if  the domains are in the same forest ????
==> Please clarify ...

(5)
For (c) article I read , it sound to me any user from and domain can access other domain resources as long as they are in the same forest ( because the trust relationship is created by default in Server 2003 network )  ???
==> Please clarify ......


A lot of my  questions are asking whether the member of  Enterprise Admin Group , or , Domain Administrator can access other domain's resources ???


Please help to clarify from (1)  to (5) . Thanks .
0
Comment
Question by:kcn
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 1332 total points
ID: 33571129
1 = Active Directory automatically creates a trust relationship between the new child domain, and the domain directly above it in the domain namespace hierarchy. What this means is that the trust relationship exists between those domains that have a common contiguous DNS namespace and who are part of the same forest. Parent-child trust enables authentication requests of child domains to be passed through the parent domain for authentication. In addition, when a new domain is added to the tree, trust relationships are created with each domain in the tree. This means that network resources in the individual domains of the tree can be accessed by all other domains in the tree.
So the answer is Domain not be able to access resources in domain b.

2= You need to belong to the Enterprise Admins groups in each forest that you want to create forest trust between. In addition to this, the domains within each forest and each particular forest have to be raised to the Windows Server 2003 functional level
So the answer is yes you need to be part of the Enterprise Admins group to create a forest relationship

3= You can create a one or two-way forest trust. If you were to create a two-way forest trust then both domains in each forest would be able access resources. You would also be able to create Selective Authentication where only certain users have access to reosuces on the other Forest. Or you can do a Forest-Wide authentication which will give all users 2way access to resouces in both forests.

4= When you try and access resources from the other domain it has to first go through the parent domain and then authenticate to domain b. You can also create shortcuts so that this will speed up the authentication process. You can make one-way or two-way shortcuts.

0
 

Author Comment

by:kcn
ID: 33571470
Hi,

From your (1) answer, last sentence , read as " So the answer is Domain not be able to access resources in domain b."

==> Are you saying that  user from domain#A can or cannot access domain#B' resources  ???

Can I sumarize in this way :-

The user from Domain#A can access the Domain#B 's resources , as long as the user from domain#A be granted the permission ( authorization ) to access the resource in domain#B .

And the article (a) that I read , mean , even there is no permission is granted to other domain's user , as long as  other domain user able to use "Enterprise Admin Group " , then he/she can access any domain's resources even the other domains' never give permission to him/her to access their resources .

==> Is my summary make sense ???
0
 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 1332 total points
ID: 33571622
Users from domain a will be able to access resouces on domain b where "authenticated users" have read/write access. You will still need to add the group or user from the corresponding domainA to have access in domainB.
0
Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 12

Assisted Solution

by:Rant32
Rant32 earned 668 total points
ID: 33572454
The Enterprise Admins group becomes a member of the domain-local Administrators group by default, when creating the child domain. That means, the root domain's Administrator account has full access to all domain controllers in the subdomains, but not the member servers in subdomains, unless specifically granted access.
0
 

Author Comment

by:kcn
ID: 33575370
Rant32 ,

Understand your point . If there is a SINGLE tree domain , the root domain's administrator can by default access any resources on their child domain without need any permission granting  .

How about in Forest network , where 2 Domain Trees are exist ??  
Which account has by default right to access any resources from any domains within the SAME forest ?????  ==> Please advise which type account has this default right   ????
0
 

Author Comment

by:kcn
ID: 33603576
Spec01 or Rant32 ,

Anyone can answer my last post ?
0

Featured Post

Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question