Skip to main content

CONFIGURING TRUSTS – PART 3

http://www.rebeladmin.com/2015/01/configuring-trusts-part-3/


This is the part 3 of the series which explain about “Trusts” between infrastructures. If you not checked the other 2 parts yet you can find them in here.
In this article I will cover up the rest of the concepts, terms, involves with setting up a trust.
Security Identifier (SID) filtering
Microsoft Systems uses a structure known as SID to express its identities. Its act as a token. SID filtering is used to block users in trusted forest or domain being able to elevate their privileges in local forest or domain. This is important for external trusts as when you trusting you can control rights to provide credentials between domains.
By default windows 2012, windows 2012 R2 have SID filtering enabled. If you wish to disable this, you can do it using following commands. (https://technet.microsoft.com/en-us/library/cc794801(v=ws.10).aspx)
To disable SID filter quarantining for the trusting domain

Netdom trust /domain: /quarantine:No /userD: /passwordD:

To disable SID filter quarantining for the trusting forest

Netdom trust /domain: /enablesidhistory:Yes /userD: /passwordD:

It is recommended to keep the default enabled state unless you have critical reason.
Name Suffix Routing
In an organization it may have different UPN (User Principle Name) suffixes used with in its forest. For example Contoso LTD. May use contoso.com, mycontoso.net, companyA.org as name suffixes. But when you creating a trust you may not need to allow users from all these suffixes. With Name suffix routing we can enable or disable the UPN suffixes which will involve with the trust operations.
I will demonstrate how we can do this in next post which will go more in to real world configurations.
Trust Authentications
Trusts can use 2 authentication protocols. By default it uses Kerberos Version 5. If it’s not supporting it use NTLM Authentication.  In order to initiate a trust, the administrator need to be a member of domain admin group or enterprise admin user group. Trust needs to initiate in both sides.
IC195612
Before initiate trusts it is important to make sure following ports are open in both sides.
UDP Port 88 – Kerberos Protocol
TCP and UDP Port 387 – LDAP
TCP Port 445 – Microsoft SMB
TCP Port 135 – Trust endpoint resolution
This is the end of a part 3 of the configuring trust series and in next article let’s look in to real world setups
Labels:

Comments

Post a Comment

Popular posts from this blog

There are currently no logon servers available to service the logon request

When bringing a new server on line, you may see an error that says: The Security System detected an authenticaton error for the server ldap/xxxxxxxt. The failure code from the authentication protocal Kerberos was "There are currently no logon servers available to service the logon request. Event id: 40960 category: SPENGO (Negotiator) (0xc000005e) This issue is the result of missing or the inability to contact the DNS SRV (SeRVice) records. You just brought a new server on line. To complete the process, the server has to register its own host A record and SVR record in DNS. To do this, Type the following at the command prompt: IPconfig /flushdns IPconfig /registerdns net stop netlogon net start netlogon flushing DNS will remove all old or improper DNS records registering dns records registers your Host A record restarting the netlogon will register your SRV records. __________________________________________________________________________________ Speaking of ...
Post a Comment
Read more

test vpn bandwidth and speed with iperf

This article explains how to use a free utility called iPerf to test the speed of a VPN connection. In this example I am running iPerf on windows but there are other versions available (i.e. Linux). Download iPerf from  http://linhost.info/2010/02/iperf-on-windows/ Put a copy on 2 computers with 1 either side of the VPN. In this example I have put in the c:\triangle folder On the “server” PC open a cmd prompt and navigate to the folder containing iperf. Note on computers running Win7 or Win2008 I recommend running the cmd prompt in elevated mode. Run the command  iperf –s On the “client” PC open a cmd prompt and again navigate to the folder containing iperf. Run the command  iperf –c After a short while the estimated bandwidth is displayed.
1 comment
Read more

How fix Virtual Memory Too low in Windows XP,Vista,Windows 7,Windows Server 2003

Some times i got the icon on below right side of my system in Windows XP,Vista,Windows 7,Windows Server 2000,2003.How can Fix this solution.Here the solution. This solution work for all types of Windows i.e windows 95 to Windows 7. Virtual Memory is the space your computer uses when it's short of RAM(Random Access Memory),which is the memory used when running programs like Microsoft word,Power Point and other application  in our system . Solution 1:   Try to increase Your RAM size. Solution 2:   Change the Paging Size of drive as shown below steps                    1.Go to MyComputer--> Right Click--> Click Properties.                    2.Click Advanced tab from  System Properties tab.                    3.Click Sett...
Post a Comment
Read more