Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Trust Relationship within Active Directory

Posted on 2010-08-31
6
Medium Priority
?
960 Views
Last Modified: 2012-08-13
I read below  3 artices about Trust Relatioship within Active Directory

(a) http://www.windowsnetworking.com/articles_tutorials/Trust-Relationships-Windows-   Server-2003-Environment.html
(b) http://www.tech-faq.com/understanding-trust-relationships.html

(c) http://searchwindowsserver.techtarget.com/tip/0,289483,sid68_gci1111920,00.html


(a) article is easier to understand but (b) & (C)  articles make me confused .



I tried to summarize the " Trust Relationship within Active Directory " 

Correct me if I am wrong...

Based on Wins Server 2003 Trust Relationship only :-

(1) By default , every domain in the same forest will trust each other .
      Domain Administrator from Domain#A   CANNOT access the Domain#B 's resources like
      files,printers etc .
      Howerver , only the member of  Enterprise Admin Group ( Forest level administrator) of    
      Domain#A   CAN  access the Domain#B 's resources like files etc
      ==> Am I right at this point ????

(2) Only member of Enterprise Admin Group ( forest level )  CAN  create External Trust
      between  2 forests . We cannot use domain administrator to create this external trust ??
      ==> Am I right  ???

(3) Only  member of Enterprise Admin Group ( forest level )  CAN  create the trust between
      Domiain#A  ( from forest#A)  and Domain#B ( from forest#B) and after this external trust
      is  created  the domain administrator of  Domain#A  can access Domain#B's resources
 
      ==> at this point , we do not need to use Enterprise Admin Group to access other domain's
             resources , we only need to use domain administrator to access other domain's      
             resource ( the trust between 2 forests )  ==> Am I right ???  
 
(4)
For (b) article I read , it sound to me even the domain administrator can access other domain's resources  if  the domains are in the same forest ????
==> Please clarify ...

(5)
For (c) article I read , it sound to me any user from and domain can access other domain resources as long as they are in the same forest ( because the trust relationship is created by default in Server 2003 network )  ???
==> Please clarify ......


A lot of my  questions are asking whether the member of  Enterprise Admin Group , or , Domain Administrator can access other domain's resources ???


Please help to clarify from (1)  to (5) . Thanks .
0
Comment
Question by:kcn
  • 3
  • 2
6 Comments
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 1332 total points
ID: 33571129
1 = Active Directory automatically creates a trust relationship between the new child domain, and the domain directly above it in the domain namespace hierarchy. What this means is that the trust relationship exists between those domains that have a common contiguous DNS namespace and who are part of the same forest. Parent-child trust enables authentication requests of child domains to be passed through the parent domain for authentication. In addition, when a new domain is added to the tree, trust relationships are created with each domain in the tree. This means that network resources in the individual domains of the tree can be accessed by all other domains in the tree.
So the answer is Domain not be able to access resources in domain b.

2= You need to belong to the Enterprise Admins groups in each forest that you want to create forest trust between. In addition to this, the domains within each forest and each particular forest have to be raised to the Windows Server 2003 functional level
So the answer is yes you need to be part of the Enterprise Admins group to create a forest relationship

3= You can create a one or two-way forest trust. If you were to create a two-way forest trust then both domains in each forest would be able access resources. You would also be able to create Selective Authentication where only certain users have access to reosuces on the other Forest. Or you can do a Forest-Wide authentication which will give all users 2way access to resouces in both forests.

4= When you try and access resources from the other domain it has to first go through the parent domain and then authenticate to domain b. You can also create shortcuts so that this will speed up the authentication process. You can make one-way or two-way shortcuts.

0
 

Author Comment

by:kcn
ID: 33571470
Hi,

From your (1) answer, last sentence , read as " So the answer is Domain not be able to access resources in domain b."

==> Are you saying that  user from domain#A can or cannot access domain#B' resources  ???

Can I sumarize in this way :-

The user from Domain#A can access the Domain#B 's resources , as long as the user from domain#A be granted the permission ( authorization ) to access the resource in domain#B .

And the article (a) that I read , mean , even there is no permission is granted to other domain's user , as long as  other domain user able to use "Enterprise Admin Group " , then he/she can access any domain's resources even the other domains' never give permission to him/her to access their resources .

==> Is my summary make sense ???
0
 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 1332 total points
ID: 33571622
Users from domain a will be able to access resouces on domain b where "authenticated users" have read/write access. You will still need to add the group or user from the corresponding domainA to have access in domainB.
0
Learn Veeam advantages over legacy backup

Every day, more and more legacy backup customers switch to Veeam. Technologies designed for the client-server era cannot restore any IT service running in the hybrid cloud within seconds. Learn top Veeam advantages over legacy backup and get Veeam for the price of your renewal

 
LVL 12

Assisted Solution

by:Rant32
Rant32 earned 668 total points
ID: 33572454
The Enterprise Admins group becomes a member of the domain-local Administrators group by default, when creating the child domain. That means, the root domain's Administrator account has full access to all domain controllers in the subdomains, but not the member servers in subdomains, unless specifically granted access.
0
 

Author Comment

by:kcn
ID: 33575370
Rant32 ,

Understand your point . If there is a SINGLE tree domain , the root domain's administrator can by default access any resources on their child domain without need any permission granting  .

How about in Forest network , where 2 Domain Trees are exist ??  
Which account has by default right to access any resources from any domains within the SAME forest ?????  ==> Please advise which type account has this default right   ????
0
 

Author Comment

by:kcn
ID: 33603576
Spec01 or Rant32 ,

Anyone can answer my last post ?
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question