To understand the configuration and management of a multi domain environment, an overview of Active Directory Domain Services referred to here as Active Directory is given.
An AD server is known as a domain controller and is a database that holds objects describing users and resources.
The Active Directory Domain Services role provides a centralised point of control over users, clients, servers and hardware across a network.
AD consists of a highly scalable hierarchical database based on the Microsoft x500 directory service and a means to access the database, Lightweight Directory Access Protocol (LDAP).
The database allows administrators to store users and resources in a manner suitable to their organisational structure. E.g. If an organisation tracks users by location then AD can be structured by location. If it tracks users by department then AD can be structured by department.
The features that make the directory service flexible are:-
Get your grade
or your money back
using our Essay Writing Service!
Hierarchical organisation allowing administrators simplified management of security policies and resources.
Distributed database, centrally stored data which can be distributed across many network servers for ease of access from multiple locations.
Replication is automatic between domain controllers ensuring data is held in multiple locations for redundancy. Replication ensures domain controllers possess consistent up to date information.
Scalability is provided as AD can store millions of objects and high performance data retrieval is supplied through the Global Catalog Server indexing. All domain controllers are global servers by default.
Security Administrators control access to directory objects and properties through granular access controls. AD supports Kerberos authentication which is compatible with other systems and internet applications.
Flexibility AD is pre-packaged with some objects, such as groups and users. New objects may be added to fit the organisation.
Policy based Admin to ensure security and consistency throughout the enterprise, administrators can set policies for users and apply different sets of rules for objects such as sites, departments or groups.
Structure of a multi domain environment
When installing Active Directory on the first server a Domain, Tree and Forest are automatically created. Below is an example of a multi domain structure with trust connections.
The trust connections are discussed later.
Where multiple domains are required each Domain has a domain controller with its own copy of the AD database. Multiple domains are utilised for reasons such as geographical boundaries or departmental boundaries. Enterprises create these boundaries for reasons such as isolation of data for security, speed of data retrieval, delegation of administration and different services requirements.
Multiple Domains are inter-connected by trusts which allow the sharing of resources.
A Domain is the main unit in a multi-domain environment, containing OU's it's the security, policy and administrative boundary. It's defined as a logical group of computers that share the same Active Directory Database.
Where possible multiple domains should be kept to a minimum, the more domains created the higher administration and hardware/software costs.
Organisational Unit (OU)
An OU is the primary container object for dividing a domain into more manageable segments, delegating administration and applying group policies for security. OU's can be nested. Objects can only be in one OU. Group policy is applied to the OU.
A group of domains that share the same domain namespace such as Learn.com are known as a Tree, and take on a hierarchical structure from the root domain. When adding further domains to the root domain these are known as child domains of the root (parent) domain.
If there is another group of domains with a different namespace such as teach.com in the same enterprise environment they are another Tree. Both trees are part of the same Forest.
A forest consists of one or more domains with one or more trees in the forest. Microsoft recommends the forest root domain; the first domain created in an active directory forest is reserved solely for administration of the forest Infrastructure.
Always on Time
Marked to Standard
The forest holds the schema which defines which objects are stored and how they are stored across the multi-domain environment. The schema master role is discussed later.
Sites and services
Two-way transitive trusts are automatically created by AD. Trusts enable users in one Domain to find resources in another domain. Trusts do not allow access to resources, merely the path to resources.
Users must be authenticated and have permissions to access resources on another domain.
Two way transitive trusts
These are established at the Forest level meaning trusts can be established between trees and domains in the forest.
In two-way transitive trusts, each tree or domain trusts the authority of the other tree or domain for authentication.
This can be described as "I trust your authority and anyone you trusts authority". (A trusts B, B trusts C, therefore A trusts C and vice versa).
When a child domain is created a transitive trust is automatically created between the parent and child domains. When a new tree is added to the forest, a transitive trust is created by AD.
Other Types of trust are explained in the table below.
One way trust
A one way trust path is used when access between two domains is restricted to a single domain.
Example: - The sales domain will trust the accounts domain but the accounts domain does not trust the sales domain.
Non-transitive trusts are set to allow direct trusts between two controllers. They work with transitive trusts but the connection stops where the non-transitive trust ends.
In a two way Non-transitive relationship A trusts B and B trusts C but A does not trust C. For A to trust C then another Non-transitive trust must be set between A and C.
A one way non-transitive trust used to connect to an older windows NT4 system for example. To set this trust as two-way you create two one way trusts between the systems, one inbound to and one outbound from NT4.
Direct Two Way
Shortcut trusts are administrator initiated manual trusts, set to provide a direct link between two domain controllers that communicate regularly.
If one controller at the bottom of a hierarchical tree communicates regularly with another controller in another tree, with transitive trusts many trusts must be negotiated up through the hierarchy before completing a link.
This is a much slower communication process than having a direct shortcut between both controllers.
Admin requires authentication on both servers to set up a shortcut trust using the wizard.
Forest trusts are manually created join two forests together. These trusts are employed if for example an enterprise buys another company with its own forest, trees and domains.
Forest trusts are transitive allowing links to share resources between the two companies in separate forests.
When setting up a Forest trust either Forest authentication or Selective authentication options are offered. Selective authentication allows the administrator greater access control by choosing what resources access is granted for.
One, Two Or Transitive
If the other company uses non-windows systems like Linux, a Realm Trust can be set up, these can be one, two or even transitive trusts.