What You Should Know About Active Directory Trusts in Order to Pass a Microsoft Exam
Microsoft created trusts in order to allow two or more networks to communicate with each other and share relevant data. Of course over time, with the release of newer operating systems and the need to incorporate alternative environments, the configuration of trusts has become more complex. As a result, not only do Microsoft expect you to know how to configure and manage trusts for your chosen exams operating system, but also how to setup trusts with all of the previous operating systemsas well as the other multiple options that trusts provide in a multi-network setup.
Which way to trust
Establishing trusts has evolved over time as Microsoft operating systems have also moved on, so that trusting other networks is carried out with caution. The rule of thumb to stick to within a Microsoft exam environment is that when trusting any other network, only apply the trust that meets the question requirements and nothing more.
The type of trust you are deploying (the details of which are explained below) dictates a to whether it is a one-way or two-way trust. This is self-explanatory, in that if a trust is one-way then it only allows trusting of domain resources in one direction; as you would expect, the access to resources is allowed both ways during two-way trust authentication. Moreover, Microsoft likes to provide diagrams with arrows in an attempt to explain which way the trust is accepted. Figure 1 shows that a one-way trust is set up.
Figure 1 A one-way trust: Domain A trusts Domain B, not the other way round.
This is combined with a bit of Microsoft word play, whereby you will see the words “trusting” and “trusted.” Make sure you are aware of the differences, as in terms of trusts and trust-based questions, it’s huge. Trusting means that the domain is trusting a domain that has been granted access by the trust relationship, in the above diagram that is domain A. Trusted means the domain that is trusted to access resources in the domain; in the example above, that is domain B. In order to remember this I use the rule that if the trust is described as outgoing then it is coming from a trusting network, whereas if the trust is incoming it is from a trusted network. You may have to read that more than once for it to sink in; I know I did!
Choosing the right trust relationship
In most circumstances, this is often chosen for you, either dictated by the natural relationship between domains or by the limitations of the systems you are attempting to setup trusts with. However, there are exceptions, and Microsoft is always looking to test you on the exceptions, as this ensures that you know how their products are used and how flexible it is dependent on the scenario.
- Parent/Child trust One of the trusts created out of the “natural relationship” mentioned earlier. These trusts are two way by default and transitive. They also support Kerberos and NTLMv2 for authentication. And as they sound, these trusts are created via the creation of a child domain (e.g., secondary.domain.com).
- Root/tree trustSimilar to the above in that the trust is created out of a parent/child like formation. Without trust with the root, the entire network infrastructure would fail. Like the above, these trusts are transitive, two-way, and support the same authentication protocols.
- Forest trustNow we are starting to entire slightly more careful territory, as when you are establishing trusts at this level you are normally trusting an entirely different company. The trust exists at the forest level, can be two- or one-way, and transitive or non-transitive. In an exam scenario, you normally face the options of setting up a forest trust between companies or setting up a shortcut trust between company child trees. Make sure you understand what sort of scope a forest trust offers in comparison to a shortcut trust, which is often based on the required resource access in a given exam question.
- Shortcut trustAs briefly mentioned above, the shortcut trust exists between two separate forests, but at the lower levels, such as between trees. The main purpose of a shortcut trust is that it cuts down on domain replication and granting excessive privileges throughout the forest when only a limited amount of access is required.
- External trustsThese are the original trusts, which have existed since NT 4 domains onward. It is common for exam questions to mention trust setup between the latest Windows operating system, depending on your exam choice and the legacy NT 4 systems. These trusts are non-transitive and can be two way. Most importantly, these trusts do not support Kerberos, as it did not exist at the time as an authentication protocol for Windows domains. Instead, the authentication protocol used is NTLM v2.
- Realm trustsThis is the trust mechanism used by Windows and Unix-based systems in order to manage sharing of resources between completely different operating systems. These can be two way, are non-transitive and supports MIT-based Kerberos. You are highly unlikely to see any questions related to this in a Microsoft exam; however, it is always good to identify exactly what this trust is in case it comes up in a multiple choice scenario and catches you off guard.
Setting up the trusts
It is important to familiarize yourself with the Active directory domains and trusts management console as a way of doing just that, setting up the trusts between networks and domains. When it comes to answering simulation based questions on setting up trusts then this management console is the main tool for the job, so you may get tested on this area. The configuration options are based on the criteria above, and the tick boxes and options available make configuration fairly straight forward.
The alternative is the command line tool Netdom. It is highly unlikely that you would be required to configure this in an exam simulation scenario; however, you should be familiar with the basic syntax as this could appear as a multiple choice question option.
Domain wide or selective access
Access to resources once the trust authentication has occurred can be defined in one of two ways. The first is to set up domain-wide access, which, as it suggests, allows domain-wide access to resources based on the subsequent permissions set on them. The second is to set up selective access to resources so that only a certain folder or folders can be accessed by the trusted network. This not only restricts access when the trust relationship exists domain-wide, but also when a shortcut trust is set up with the express purpose of allowing access to minimal resources. This is a common Microsoft exam question, as it is important to limit the access to resources when it isn’t needed.
Transitive or non-transitive?
This is another trust-based feature designed to limit the access to resources within trust relationships, more specifically whether the access is granted to other domains trusted by a subsequent trusted domain.
For example, domain B is trusted by domain A, and domain C is trusted by domain B. So if the trust relationship between domain A and domain B was transitive, then domain A would also trust domain C. If the domain trust was non-transitive, then the trust relationship would exist only between A and B and not C.
Within a Microsoft exam environment, it is important to keep an eye out for whether or not a question mentions transivity or not. It is common whenever a trust question arises, the question of whether it is transitive or not can make a bg difference to getting the correct answer.
Troubleshooting trusts
As always within a Microsoft environment, things don’t always go according to plan, and as Microsoft is as aware of this as we are, they like to make sure you know how to troubleshoot domain trust issues when the arise.
- NetdomAs mentioned earlier, this is the go-to command for troubleshooting trusts between Windows domains. There are a number of switches available, such as the /reset, and /joindomain, which can be used to manage and troubleshoot the secure channel between domains.
- Legacy domain issuesBy this I mean the trust relationships between Windows 2003+ domains and Windows NT 4 domains, and these are often related to authentication issues. Also, there are restrictions with older domains; for example, NT 4 domains don’t support IPsec communications. Just ensure that when you are building up your study notes, you make note of all of the exceptions that can cause trust issues between d,omains as they are a common area for exam questions.
Trusts are a key part of any Microsoft infrastructure exam as managing multiple domains is a common task for any network administrator. And although the concept is fairly straight forward once you can grasp the idea of trusted and trusting domains and transitive and non-transitive access, managing the access to resources once the trust is setup is a much more complex process.