Domain Controller and

Active Directory (part 2)

Overview
• Active Directory Forest
• Domain Trust
Active Directory Forest
• Concepts
• Relationship between domains in a forest
• How to create a child domain
• Raising Forest and Domain Functional Levels
• What Is Forest and Domain Functionality?
• Requirements for Enabling New
Windows Server 2003 Features
• How to Raise the Functional Level
Active Directory Forest
Concepts

Child domain is part of a larger domain name in DNS hierarchy.

Parent domain is one domain above another in a domain tree.

A tree consists of a single domain or multiple domains in a contiguous

namespace. Tree root domain is the first domain created in a tree.

Forest is a collection of one or more domain trees with a common schema

and implicit trust relationships between them. This arrangement would be
used if you have multiple root DNS addresses.
Forest root domain is the first domain created in a forest.
Relationship between domains in a
forest

Each child domain has an automatic two-way trust relationship with the
parent domain

Every tree root domain has a transitive trust relationship with the forest root
domain

Transitive trust is applied automatically for all domains that are members of
the domain tree or forest
How to create a Child domain

Create a child domain:

1. Click Start, click Run, and then type dcpromo to start the
Active Directory Installation Wizard
2. On the Domain Controller Type page, click Domain
controller for a new domain
3. On the Create New Domain page, click Child domain in an
existing domain tree
4. On the Child Domain Installation page, verify the parent
domain and type the new child domain name
5. Restart the computer
Raising Forest and Domain
Functional Levels

• What Is Forest and Domain Functionality?

• Requirements for Enabling New Windows
Server 2003 Features
• How to Raise the Functional Level
What Is Forest and Domain
Functionality?
Enable forest-wide or domain-wide Active Directory features

Network Domain Forest

environment functional levels functional levels
Windows 2000
mixed-mode domain

Windows 2000
native-mode domain

Windows Server 2003

Domain

Windows Server 2003

Interim
Requirements for Enabling New
Windows Server 2003 Features

Requirement Domain Forest

Domain controllers
Windows Server 2003 Windows Server 2003
must run:

Domain functional Raised to Able to be raised to

level must be: Windows Server 2003 Windows Server 2003

Domain administrator Enterprise administrator

Administrator: to raise domain to raise forest functional
functional level level
How to Raise the Functional Level

Raise the Windows Server 2003 level:

1. Open Active Directory Domains and Trusts
2. Examine the functional level of your domain, and then raise it
to Windows Server 2003.
3. Close Active Directory Domains and Trusts.

Raise the Forest functional level:

1. In Active Directory Domains and Trusts, in the console tree,
right-click Active Directory Domains and Trusts, and then click Raise
Forest Functional Level.
2. In Select an available forest functional level dialog box, select
Windows Server 2003, and then click Raise.

Note: After you raise the domain or forest functional level, it cannot
be lowered.
Domain Trust
• What Are Trusts?
• Trust Categories
• Direction of Trusts
• Types of Trusts
• Forest Trusts
• Shortcut Trusts
• External Trusts
• Realm Trusts
• How Trusts Work in a Forest
• How Trusts Work Across Forests
• How to create a Forest Trust
What are Trusts?

Trusts are the mechanisms that ensure that users who are
authenticated in their own domains can access resources in any
trusting domain or forest

Trust Transitive trusts

categories Nontransitive trusts

One-way incoming trust

Trust
One-way outgoing trust
directions Two-way trust

Trust types Types of trusts: forest, shortcut, external, realm

Trust Categories

Transitive trusts are always two-way: both domains in the relationship trust
each other. Each time you create a new child domain a two-way transitive
trust relationship is created between the parent and new child domain

Each time creating a new domain tree in a forest, a two-way transitive trust
relationship is created between the forest root domain and the new
domain.

• Nontransitive trusts are not automatic and must be set up

• All trust relationships established between domains that are not in the
same forest are nontransitive.
Direction of Trusts

TRUST
Outgoing Incoming

Domain A Domain B

ACCESS
Types of Trusts
Forest 1 Tree/Root Forest Forest 2
Trust Trust
Parent/Child
Trust
Forest
Forest (root)
Domain D (root)

Domain E Domain A Domain B Domain P Domain Q

Shortcut Trust
Realm External
Domain F Domain C Trust Trust

Kerberos Realm
Forest Trusts
Forest Trust

A forest trust is a trust between two Windows Server 2003 forests

Forms the trust relationships between every domain in both

forests
Is created between the forests involved in the trust
Is transitive for all of the domains in the forests
The transitivity does not flow between forests
Shortcut Trusts
Forest
Domain D (root)

Domain E Domain A Domain B

Shortcut Trust
Domain F Domain C

A shortcut trust:
Reduces authentication time in complex forests
Is transitive
Can be one-way or two-way
External Trusts
Forest 1 Forest 2
Forest Forest
Domain D (root) (root)

Domain E Domain A Domain B Domain P Domain Q

Domain F Domain C External Trust

An external trust is:

A trust that is manually created between:
Two Active Directory domains located in different forests
An Active Directory domain and a Windows NT 4.0 or earlier domain
Nontransitive
One-way
Realm Trusts
A realm trust:
Forest
Is a trust between a (root)
Kerberos realm and an
Active Directory domain
Can be transitive or
nontransitive Domain A Domain B
Can be one-way or two-
way
Allows cross-platform
interoperability with Domain C Realm Trust
security services based
on other Kerberos V5
versions Kerberos Realm
Kerberos Realm

Kerberos is a secure method for authenticating a request for a

service in a computer network
Kerberos builds on symmetric key cryptography/public key
cryptography and requires a trusted third party

Kerberos Realm is the set of Kerberos principals that are registered

within a Kerberos server
How Trusts Work in a Forest
Forest Root
Domain

Tree One
Tree Root
Domain
Domain 1

Domain A

Domain 2
Tree Two

Domain B Domain C
How Trusts Work Across Forests
Forest 1 Forest 2
Forest trust
6
Global Global
catalog catalog
nwtraders.msft contoso.msft

4
2
5 Seattle
3 7
8
1
Vancouver
9
vancouver.nwtraders.msft seattle.contoso.msft
How to create a Forest Trust

Create a Forest Trust

1. Open Active Directory Domains and Trusts
2. Right-click the domain node for the forest root domain, and
then click Properties
3. On the Trust tab, click New Trust
4. On the Trust Name page, type the DNS name of another
forest
5. On the Trust Type page, click Forest trust
6. On the Direction of Trust page, do one of the following:
- To create a two-way, forest trust, click Two-way
- To create a one-way, incoming forest trust, click One-
way: incoming (Users in the specified forest will not be
able to access any resources in this forest )
- To create a one-way, outgoing forest trust, click One-
way: outgoing (vice versa)
Lab: Implementing Active Directory

• Creating an Active Directory Forest Root

Domain
• Creating an Active Directory Child
Domain
• Raising Domain and Forest Functional
Level
• Creating a Forest Trust