Tip

Who do you trust? A new direction for AD in Windows Server 2003

Douglas A. Paddock, SearchWin2000.com contributor

Windows Server 2003 adds some new functionality for dealing with forests and forest trusts in Active Directory. The improvements provide a great deal more flexibility and resource utilization among different forests, but they still preserve your ability to restrict usage among forests. This article, the first installment in a two-part series, discusses how Microsoft tracks trusts using trusted domain objects (TDOs). Part two describes your three options for setting up the trust.

Microsoft tracks trusts, including (but not limited to) forest-to-forest trusts, through the use of TDOs. TDOs for a domain can be viewed under System in Active Directory Users and Computers. Remember to turn on Advanced Features under the View option to enable viewing of the System container. Your trust will show up in the right-hand screen as the domain name you trusted with a type heading of "Trusted Domain."

For the purposes of this article, we'll assume you are creating a forest-to-forest trust, which is done from the root domain of one Windows 2003 forest to the root domain of a second Windows 2003 forest. The TDOs' function is to store information about trusts among domains, including forest-to-forest trusts in the root domain.

The TDO stores various trust information such as trust transitivity (transitive or non-transitive), the reciprocal name of the domain on the other end of the trust, and the type of trust (parent-child or tree-root). Trusts that

Requires Free Membership to View

are created from one forest to another will also have additional information stored in the TDO to allow each forest to identify additional items in the other forest, such as the UPNs (user principal names), SPN suffixes (service principal names), domain tree names and SID (security ID) namespaces.

 

Before you start to create a forest trust, you will want to check out the Help topic "Checklist: Creating a forest trust." Some key checklist items to note are:

- You must be a member of one of the following groups: Domain Administrators in the forest root domain, Enterprise Admins, or the new group Incoming Forest Trust Builders. Members of the Incoming Forest Trust Builders group can establish an incoming trust for their forest.

- You must have DNS configured so that each forest will recognize the other. The forest functional level in each forest must be set to Windows 2003. If you are a member of the necessary groups in both forests, you can create both sides of the trust at once, which simplifies the setup procedure.

The wizard pictured on the left for setting up a forest trust is located in Active Directory Domains and Trusts. Simply right-click on the forest root domain and click Properties, then click New Trust under the Trust tab.

One of the important things about trusts in Windows Server 2003 is that you have the ability to specify which way the trust will operate. When you set the trust up, you will be asked for the direction of the trust. But it is very easy to make a common Windows NT 4.0 mistake when creating trusts: creating the trust in the wrong direction. We'll look at that in part two of this series: "Who do you trust? Options for setting up forest-to-forest trusts."

About the author: Douglas Paddock is an IT instructor at Louisville Technical Institute in Louisville, Ky. He holds CIW Security Analyst, CIW Instructor, MCSE, MCT, MCSA, A+ and N+ certifications.


This was first published in May 2003

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.