Skip to main content

CONFIGURING TRUSTS – PART 2

http://www.rebeladmin.com/2015/01/configuring-trusts-part-2/

This is the part 2 of the series of articles which describes about trusts between infrastructures. If you still not read the part 1 of the series you can find it in here.
On previous article I explain what is a trust and common terms used in process. This article will be extend to it.
External Trusts – Let’s assume we have child domain called “HQ.contoso.com” under contoso.com forest. Company recently had business relationship with XYZ corp. They having child domain under the XYZ.com forest called “Sales.xyz.com”. As per business need management wants to allow users, resources in “Sales.xyz.com” to access data, resources in “HQ.contoso.com”. None of the other domains, child domains in both forest should allow in this operation. This is where we can use “External Trusts”. So it will only allow part of the forest to participate in unique operation.
Realm Trust – Also in real world Microsoft AD services is not the only directory services organizations uses. So it is not practical forcing another organization to change their directory services to match with ours to make trust. Realm trusts are helps to mitigate this issue and it allows to make trusts with active directory domain and non-Windows Kerberos version 5 realm(such as Linux directory service)
Forest Trusts – This is the most commonly used trust type. Using forest trust, one active directory forest will trust another active directory forest. These trust can be uni-directional trust or bi-direction trusts. By default forest trusts are “Trasitive”. It means any domain or child domain under these forests will be automatically trusted by each other (based on trust direction).  
In forest trust we can use two authentication scopes according to our business requirement.
Forest-wide Authentication – This is the default authentication setting for forest trusts. Users in remote forest will be automatically allow to authenticate local forest resources. In here it doesn’t means any user in remote forest can access any resources. They still need pass the ACL, permission rules resources used. This authentication model is recommended for the organizations with multiple forests.
Selective Authentication – Using this method we can allow selected users, groups in remote forest to access resources in local forest.  This is the best option to control access security while maintaining a forest trust.
Shortcut Trusts – Let’s assume we have two forests called contoso.com and XYZ.com. As per below image both forests do have several domains and child domains. We do have a user called ‘User A” in “IT.Hotels.contoso.com”. He needs to access a file share from a server located under “HR.Constructions.XYZ.com”.
short1
Now if we think about the authentication process it will need to pass the traffic all the way up to root domain in both forests. Sometime these child domains may located on different countries or cities. These may also connect through slow links due to high cost. So this traffic does effect regular operations.
Shortcut trusts allows to pass authentication traffic between IT.Hotels.contoso.com and HR.Constructions.XYZ.com directly without going through domain tree. Shortcut trust can be bi-directional or uni-directional.
short2
This is the end of Part 2 of the series 


Labels:

Comments

Post a Comment

Popular posts from this blog

There are currently no logon servers available to service the logon request

When bringing a new server on line, you may see an error that says: The Security System detected an authenticaton error for the server ldap/xxxxxxxt. The failure code from the authentication protocal Kerberos was "There are currently no logon servers available to service the logon request. Event id: 40960 category: SPENGO (Negotiator) (0xc000005e) This issue is the result of missing or the inability to contact the DNS SRV (SeRVice) records. You just brought a new server on line. To complete the process, the server has to register its own host A record and SVR record in DNS. To do this, Type the following at the command prompt: IPconfig /flushdns IPconfig /registerdns net stop netlogon net start netlogon flushing DNS will remove all old or improper DNS records registering dns records registers your Host A record restarting the netlogon will register your SRV records. __________________________________________________________________________________ Speaking of ...
Post a Comment
Read more

test vpn bandwidth and speed with iperf

This article explains how to use a free utility called iPerf to test the speed of a VPN connection. In this example I am running iPerf on windows but there are other versions available (i.e. Linux). Download iPerf from  http://linhost.info/2010/02/iperf-on-windows/ Put a copy on 2 computers with 1 either side of the VPN. In this example I have put in the c:\triangle folder On the “server” PC open a cmd prompt and navigate to the folder containing iperf. Note on computers running Win7 or Win2008 I recommend running the cmd prompt in elevated mode. Run the command  iperf –s On the “client” PC open a cmd prompt and again navigate to the folder containing iperf. Run the command  iperf –c After a short while the estimated bandwidth is displayed.
1 comment
Read more

Installing the East-Asian language packs

Windows XP SP3 Info 1. Go to Start > Control Panel > Regional & Language Options (or Date, Time, Language and Regional Options) > Languages. 2. Check the box for Install files for East Asian Languages > Click OK and let the process run and then you will have to Restart your PC. Alternatively, you may need to install the East Asian Language pack that is on your original Windows disc. Outlined below is a step-by-step guide to installing it in your computer (for Windows XP - Vista users might have to undergo different steps, but they should still be similar). Try it and see if it works for you: 1. Insert your Windows XP CD 2. Go to Control Panel 3. Go to Regional and Language Options 4. Click on the Languages Tab 5. Click on the Install files for East Asian Languages checkbox and make sure that it's checked. 6. Click on the OK button for the dialog box that appears. 7. Click on the OK button of the window to close it, and begin the installation. ...
1 comment
Read more