In this series, we will move through the content blueprint of the Microsoft Windows Active Directory Configuration (70-640) exam objectives with an eye toward preparing you to pass this Microsoft Certified Technology Specialist (MCTS) exam.
The screenshot below shows the relevant section from the 70-640 exam blueprint on configuring Active Directory Domain Services (AD DS) trust relationships.
Microsoft Exam 70-640 – Configure Active Directory Trusts
The “Configuring the Active Directory Infrastructure” deals with some pretty intense material if you are not already an experienced Windows Server administrator. In particular, the subject of trusts can get pretty abstract and difficult to comprehend.
By way of preliminary definition, a trust in Active Directory simply enables user accounts, group accounts, and computer accounts from one domain to access shared resources in another domain. Trusts in Active Directory are bi-directional by default; this is in stark contrast to trusts in Windows NT 4.0, which were one-way only.
We can create and manage trust relationships by using either the Active Directory Domains and Trusts GUI tool or the Netdom command-line utility.
Before you register to take the 70-640 exam, please ensure that you are very comfortable with all technologies and procedures that are referenced in this subobjective:
- Forest Trust
- Selective Authentication vs. Forest-Wide Authentication
- Transitive Trust
- External Trust
- Shortcut Trust
- SID Filtering
A forest trust is a resource sharing relationship that is defined between two separate Active Directory forests. These forests can be owned by the same organization, or can represent a partnership between two different organizations.
Forest trusts exist between the forest root (first) domains in each forest, and involve quite a bit of flexibility. They can be one-way or two-way, although all forest trusts are transitive (as are domain trusts).
Selective Authentication vs. Forest-Wide Authentication
Forest-wide authentication is the default behavior for forest trusts in Active Directory. This means that users in one forest’s domain can (potentially) log on to and access resources in any domain in the second forest. This obviously presents some security concerns for many AD administrators. To remedy this, we have the selective authentication feature, in which we can granularly specify which domains are accessible to users across a forest trust.
The selective authentication feature is also known in the interface and in the Microsoft literature as the “authentication firewall.”
As previously stated, Active Directory domain trusts are transitive by default. What this means is that the trust transits, or moves, among connected domains.
In the following figure, we can see that because domain A has an explicit trust relationship defined with domains B and C, users in domain B can access resources in domain C (and vice-versa), even though the two domains don’t have a separate trust relationship defined.
Transitive Active Directory trust
An external trust is a non-transitive trust between a local domain (which for exam purposes almost always assumes a Windows Server 2008 R2 forest functional level) and a forest root domain in another forest.
Although an external trust “looks” like a forest trust because it connects root domains in separate Active Directory forests, Microsoft considers the external trust to be a separate and distinct trust type.
The non-transitive nature of the external trust means that the trusting domain can be highly selective in which forest resources are accessible to the trusted domain. As we discussed earlier, selective authentication allows us to loosen the black-and-white restrictions imposed by an external trust.
External trusts are sometimes used when we need our users need accesses to resources located in a “legacy” Windows NT 4.0 domain or an Active Directory domain that exists in a forest not involved in a forest trust.
NOTE: A related type of external trust is the realm trust, which involves a transitive or non-transitive, one-way or two way link between the Active Directory domain and a Kerberos realm (perhaps a Mac OS X Open Directory master).
A shortcut trust is a one-way or two-way transitive trust that is explicitly defined between two domains in a forest. We use shortcut trusts as a way to shorten logon times for users who frequently access resources in remote domains.
The dashed line in the following exhibit denotes a shortcut trust defined between domains C and E. Instead of an authentication request from domain C having to “walk the tree” up to domain A, which is the ordinary case, the request is passed directly across the shortcut trust to domain E. This is efficiency, friends!
Active Directory - Shortcut trust
As you know, user accounts are known internally by Active Directory not by “friendly” name or username but by the object’s Security Identifier, or SID. When a forest administrator uses the Active Directory Migration Tool (ADMT) or another means to migrate a user account from one domain to another within a forest, AD stores both the new and the old SIDs for the user, which saves the admin from re-adding the user to discretionary access control lists (DACLs) on shared resources. This is called SID history.
SID filtering is a security feature and configurable option in Windows Server 2008 R2 that applies to external trusts. We use SID filtering to allow SIDs from a trusted domain to access our local resources, but to block migrated SIDs/SID history SIDs from coming across the trust.
I hope that you found this approach to 70-640 exam preparation beneficial. Please feel free to leave your questions, comments, and exam experiences (no braindumps, please) in the comments portion of this post.
In the next post in this series I will provide a sample practice question for the “Configure trusts” topic.