Windows Server 2003 adds some new functionality for dealing with forests and forest trusts in Active Directory....
The improvements provide a great deal more flexibility and resource utilization among different forests, but they still preserve your ability to restrict usage among forests. This article, the first installment in a two-part series, discusses how Microsoft tracks trusts using trusted domain objects (TDOs). Part two describes your three options for setting up the trust.
Microsoft tracks trusts, including (but not limited to) forest-to-forest trusts, through the use of TDOs. TDOs for a domain can be viewed under System in Active Directory Users and Computers. Remember to turn on Advanced Features under the View option to enable viewing of the System container. Your trust will show up in the right-hand screen as the domain name you trusted with a type heading of "Trusted Domain."
For the purposes of this article, we'll assume you are creating a forest-to-forest trust, which is done from the root domain of one Windows 2003 forest to the root domain of a second Windows 2003 forest. The TDOs' function is to store information about trusts among domains, including forest-to-forest trusts in the root domain.
The TDO stores various trust information such as trust transitivity (transitive or non-transitive), the reciprocal name of the domain on the other end of the trust, and the type of trust (parent-child or tree-root). Trusts that are created from one forest to another will also have additional information stored in the TDO to allow each forest to identify additional items in the other forest, such as the UPNs (user principal names), SPN suffixes (service principal names), domain tree names and SID (security ID) namespaces.
Before you start to create a forest trust, you will want to check out the Help topic "Checklist: Creating a forest trust." Some key checklist items to note are:
- You must be a member of one of the following groups: Domain Administrators in the forest root domain, Enterprise Admins, or the new group Incoming Forest Trust Builders. Members of the Incoming Forest Trust Builders group can establish an incoming trust for their forest.
- You must have DNS configured so that each forest will recognize the other. The forest functional level in each forest must be set to Windows 2003. If you are a member of the necessary groups in both forests, you can create both sides of the trust at once, which simplifies the setup procedure.
The wizard pictured on the left for setting up a forest trust is located in Active Directory Domains and Trusts. Simply right-click on the forest root domain and click Properties, then click New Trust under the Trust tab.
One of the important things about trusts in Windows Server 2003 is that you have the ability to specify which way the trust will operate. When you set the trust up, you will be asked for the direction of the trust. But it is very easy to make a common Windows NT 4.0 mistake when creating trusts: creating the trust in the wrong direction. We'll look at that in part two of this series: "Who do you trust? Options for setting up forest-to-forest trusts."
About the author: Douglas Paddock is an IT instructor at Louisville Technical Institute in Louisville, Ky. He holds CIW Security Analyst, CIW Instructor, MCSE, MCT, MCSA, A+ and N+ certifications.