Easily build inter-forest trusts with Win 2003

Windows 2000 enables companies to integrate different business units into a unified structure, which is Active Directory Forest, which is not possible in Windows NT 4.0. Many business units that cannot coexist in the NT 4.0 domain can now coexist peacefully in the organizational unit (OUs) or domain of the Active Directory. But as some people who use a single forest structure say, there are also occasions where business units cannot coexist. Sometimes commercial or political reasons require you to achieve a separate forest. In many cases, users in separate forests still need access to resources in the central forest. Therefore, you need to build trust between the central forest and other forests. The way Windows 2003 establishes trust relationships between different forest domains is consistent with NT 4.0. But Windows Server 2003's new forest trust feature makes it simpler.

Multi-forest example

From an information security perspective, a domain is not only a security boundary, but also a boundary between replication and management. Members of the root domain administrators group, domain administrators group, and enterprise administrators group can easily access any machine in the forest. The only way to truly isolate resources is to put them in separate forests.

We don't need to give up the idea of ​​building a single forest, but we need to change it to keep the number of forests to a minimum and increase the forest only when necessary. For a standard on how to determine whether to create a forest, see the Microsoft White Paper “Design Considerations for Delegation of Administration in Active Directory” (http://www.microsoft.com/windows2000/techinfo/planning/activedirectory/addeladmin.asp). This white paper clearly illustrates the security boundaries between OUs, domains, and forests, and shows how to determine whether to put commercial units into separate forests.

When do you need a forest to separate? This is needed in several situations. The most common situation is the need to ensure management autonomy (equivalent to “ I don't trust you). Another scenario is that the business unit of the main body runs Windows 2000 forest itself and cannot be updated immediately. Since this forest still takes a while, you need to find a way to coexist with it. There is another situation related to the forest architecture. Remember that architectures (such as AD structure definitions) are shared throughout the forest. If you want to change the architecture frequently, you should do these things in separate forests so that you only change the center when needed. Forest architecture.

Resource separation is another important reason for establishing a separate forest. For example, the information of the legal agency needs to be separated, and the protected contracts also need to be separated. Some industries like banks will be penalized if they share customer information.

Forest 2000 Trust in Windows 2000

In a forest in Windows 2000, the Kerberos security protocol automatically establishes inter-domain trust relationships. An important feature of Kerberos is support for trust delivery. If the A domain trusts the B domain and the B domain trusts the C domain, the A domain automatically trusts the C domain. The simple way to remember the transmission of trust is to remember that your friend is my friend & rdquo;. This feature makes the concept of a domain tree possible, and Kerberos ticket auto-delivery allows one domain in the forest to automatically trust other domains. The two-way trust of Kerberos in the forest is also called "internal trust". To learn more about Kerberos technology for Windows 2000, see the Microsoft white paper "Windows 2000 Kerberos Authentication" (http://www.microsoft.com/windows2000/techinfo/howitworks/security/kerberos.asp).

Forest 2000 Trust in Windows 2000

Trust relationships outside the forest are more primitive. In Windows 2000, Kerberos could not establish trust across forests. NT LAN Manager (NTLM) will establish a trust relationship with NT 4.0 domains and Windows 2000 domains in other forests. These trusts are called “external trusts” (the third type of trust, “fast trust”, uses Kerberos to directly connect subdomains of two domain trees to improve performance).

External trust has the same limitations as NT 4.0 trust: external trust is not as secure as Kerberos trust and cannot be passed. Therefore, you will soon fall into the same situation as NT 4.0, and you must maintain trust in every domain of every forest.

Forest Trust for Windows 2003

Forest trust is a kind of trust that connects two forest root domains. Forest trust allows you to tie friendly forests together in a simple and easy way, faster and more flexible than NTLM trust. Since forest trust replaces NTLM with Kerberos, trust between the two forests is transitive. For example, if Forest A trusts Forest B, then all domains in Forest A also trust all domains in Forest B. However, this trust is not passed between forests. If Forest A trusts Forest B and Forest B trusts Forest C, Forest A does not automatically trust Forest C. This is the same as the NTLM Trust rule, but it is scaled up to fit the domain forest, and like NTLM trust, you can establish one-way or two-way trust.

Advantages of Forest Trust

Two advantages of Forest Trust are cross-forest certification and authorization. Cross-forest certification allows users in trusted forests to log in to the forest of trusted forests without having to create an account repeatedly. Cross-forest authorization also allows you to assign permissions to users of trusted forests so that they can access resources that trust the forest, as well as duplicate accounts. This behavior does not endanger the forest security perimeter.