Friday, 29 January 2016

Setting up a non-transitive trust with Active Directory

Forest trusts can be useful during a merger of two organizations that what to keep in tact their hierarchical structure or between two entities that require organizational segregation maybe for security purposes.

A forest trust is recusrive and hence a trust in a forest will incorporate all child nodes (domains.)

So lets say we have two root domains (Domain A and Domain B) within two separate forests (Forest A and Forest B) - we would like to a allow a user of domain A to logon as themselves on domain B.

Firstly we need to ensure that are domain and forest functional levels are at least Server 2003 as below this forest trusts are not supported. i.e. They are supported in Server 2003 and above.

It is also worth mentioning that you can have two forests with different functional levels that share a trust between them (as longs the above is adheared to.)

For specific port requirements for trusts please refer to the following:

https://technet.microsoft.com/en-us/library/cc773178(v=ws.10).aspx#w2k3tr_trust_how_knfk

There are two major types - unidrectional and bidirectional:

Unidirectional - where users from a specific domain can be authenticated on another domain.
Bidirectional - where users from both domain (A and B) can be authneticated on each others domains.

We will need to ensure that both domains can resolve each other - the easiest way to provide reception to the other domain (on Domain A) from your domain controller in Domain B by creating a conditional DNS forwarder within your existing DNS infrastructure and visa versa for the other domain.

We will also need to ensure that each DC in the domains can resolve each other's Computer Name NOT just thier FQDN. To do this you can either use a host file or simply add a dns suffix for the other domain in each DC.

In this tutorial I will be setting up a unidirectional (one-way) trust - so that users on Domain B can be authneitcated on Domain A - so Domain A from the start menu we go to >> Administrative Tools >> Sites and Services >> right-hand click on our domain node and hit 'Properties' >> Trusts tab >> 'Create Trust' and enter the trust name (which should be the FQDN of your domain name on Domain B).

We now have two options - we can either create an external trust (for domain to domain) or a forest trust (that will create a trust between two forests and all of the domains below it.) We should then select a one-way trust (incoming) and enter a password and we do not want to confirm the incoming trust until we have created the trust on the other domain! - So select 'No, do not confirm the incoming trust'.

Now we can hop onto a DC in domain B and create a new trust (as before) but this time we will specify the other domain FQDN (Domain A) and then specify a 'one-way outgoing' trust, as well as specifiying the same password you enterted for the other trust wizard and ensure 'confirm trust' is checked during this wizard.

Then go back Domain A DC and view the trust properties of the trust we created prior and hit the 'Validate trust' - which will confirm the trust on this side.

There are a few usefull utilites to help diagnose any trust issues:

NETDOM: Used to establish or break trust types.
NETDIAG: The output of this tool can give basic status on trust relationships.
NLTEST: Can be used to verify a trust relationship

0 comments:

Post a comment