Trust relationship in 2003

Trust in Windows Server --

trust relationship in 2003

Hellow Experts, I had 3 windows DCs that had a trust relationship with NT 4 PDC and BDC. I installed another 3 windows R2 to. I recently upgraded our domain controllers from to R2. Our established trust broke and none of the computers can login to the. Tree-root trust--Windows automatically creates a transitive, two-way trust when you add a new tree-root domain to an existing forest.

Therefore, Windows creates an automatic trust relationship between every domain in a forest and every other domain in the forest. Since every domain automatically trusts every other domain, you might assume that there is no reason for anyone to ever run into a situation like my nightmare with the Army ever again, as long as all of the domains are Active Directory based.

In a way, this is true.

Domain Trusts between and ?

If I were working for the Army today, it is certainly conceivable that I could create a forest that spans the entire base. Each unit could still maintain their own domain, but the domain would be a part of the forest and forest wide trust relationships would be automatically created. In fact, I know of several large companies that have their networks configured in exactly that way. For example, consider my earlier example with the Army.

A forest that spans the entire base would not be appropriate in that situation because of the fact that many of the units deal with classified information. Just to be perfectly clear, I want to point out that having one domain trust another domain does not automatically give users in the trusted domain access to any of the resources in the trusting domain.

Even so, a forest that spans an entire Army base would not be appropriate for the military because the Army would not want to risk having an Administrator grant permissions to access classified materials to someone in a different domain, either intentionally or maliciously.

OK, so the Army has a lot of picky rules and red tape, so what about a corporation? Well, there are even situations in the corporate world in which a company-wide forest is a bad idea. Imagine for a moment that you work for a large company with offices in many different cities. It might even seem logical. Keep in mind though that the feasibility of such a design all boils down to trust.

One day you get a phone call from the corporate headquarters and they want you to grant access to a particular file share to the Marketing group in the Las Vegas, Nevada office. Remember that the Las Vegas office consists of an independent domain over which you have absolutely no control.

Planning Trust Relationships in a Windows Server 2003 Environment

The best that you can do is to hope that the network administrator in Las Vegas would not make someone who would do harm to your resources, a member of the Marketing group.

As you can see, it all boils down to trust. The question is how much trust do you have in the administrators of the other domains? What if one of the other administrators is focused on network domination? Normally, a domain level administrator has administrative permissions over their own domain, but not over the forest.

This means that they have absolutely no control over any of the other domains. However, all an administrator needs in order to become a forest level administrator is to have their account added to the Enterprise Admins group. There are numerous elevation of privilege exploits that can be used to add a user to the Enterprise Admins group.

Since the user in question is already a domain administrator, such exploits become much easier to pull off. Once they do, they have full control over every domain in the forest, including yours. Windows In a Windows forest, no domain is an island. All domains are universally connected via Kerberos-style transitive trusts.

Trust replatitionships windows 2003

But what if you need to grant access to your domain resources to users in an NT domain or those in another forest? These trust relationships are NT-style trusts; non-transitive, one-way, no Kerberos. If users from multiple domains in forest A require access to resources in forest B, multiple external trusts must be made.

If multiple trusts are required, we begin to have the same problem as with NT trusts.

trust relationship in 2003

Lots of management, lots of pain, diagrams blackened with arrows which represent the relationships. A Better Trust Model Windows solves both of these problems: The need to create complete, Kerberos-style, transitive trusts between two forests, and the ability to limit what trust means, both in the forest trust, and in the external trust.

The forest trust is, simply, just that. If I want to assign resource access in every domain in forest A to any user with an account in any domain in forest B, I can do so. In addition to a trust wizard there is new nomenclature. An incoming trust from A to B means that users and groups in B can be assigned access to resources in A.

A and B can represent domains joined in an external trust or forests in a forest trust. An outgoing trust, one from A to B, means that users and groups in A can be assigned access to resources in B.

Figure 1 illustrates an incoming trust from forest B to forest A. Note that users John and Mary, who have accounts in domains in forest B, are given access to folders on servers in two different domains in forest A.

Forest trust between Windows Server and R2 | .ılı..ılı. reality disTURBing

An incoming trust into forest A means users in forest B can be granted access to forest A resources. The complete nature of this trust brings problems. While the Everyone group is more restricted, anonymous access is curtailed and the anonymous SID is no longer part of Everyone, Windows still provides, by default, more access than some would like.

trust relationship in 2003

Certainly there is exposure. Completing a forest trust does mean added risk. Fortunately, there is a solution which can help mitigate that risk.

Functional Levels in Windows Server Functional level is both a statement of fact about the operating system level of domain controllers, and a Windows mode set by an administrator.