In this chapter, you continued to build on the basics of Active Directory that you learned about in Chapter 2. You began by exploring the various types of trust relationships available in Active Directory. Should your organization employ a multiple forest design, you need to create trust relationships manually so that users in one forest can access resources in other forests.
Two types of crossforest trust relationships are available: external trusts, which are trusts that are set up between two specific domains, and forest trusts, which are trusts that involve complete two-way trust relationships between all domains in the forests involved.
In addition, you can set up shortcut trusts, which are specific trusts between two subdomains in the same forest. This type of trust relationship speeds up authentication and data access by allowing the trust path to proceed directly between the domains rather than through the parent domains.
Having set up these trust relationships, you can now manage them in several ways. We showed you how to validate trust relationships to ensure that the trusts have been properly created, change the authentication scope of a trust, and configure name suffix routing in forest trusts. Finally, you learned how to remove a crossforest trust.
Next, you learned about the classes of objects and their attributes that make up the Active Directory schema. Because the schema is vital to the function of Active Directory, Microsoft has implemented safeguards to help ensure only authorized schema modifications are performed. These safeguards include registering and installing the Schema snap-in before it can be used and being a member of the Schema Admins group. Microsoft recommends that you add users to this group only when schema modifications are required and remove them after they are completed.
You also learned what a UPN suffix is and how to add or remove one. The UPN suffix is an additional suffix that can be used to facilitate user logons throughout a forest and to conceal the true domain structure of the enterprise. It is especially useful for users who have long child domain names.
You also learned about creating and configuring sites in Active Directory. You learned about adding domain controllers to sites; configuring site links, site link bridges, and connection objects; and designating preferred bridgehead servers. You also learned what the ISTG and KCC do.
Finally, you learned about Active Directory replication. Whereas intrasite replication is essentially automatic because it is determined by the KCC, you can configure intersite replication according to the bandwidth and availability of WAN links connecting the sites. You can modify replication intervals and restrict replication to certain times of the day when other WAN traffic is low. You can also specify cost values for site links that determine which link is given priority during replication.
- Active Directory Federation Services (ADFS)
- authentication scope
- connection object
- crossforest trust
- external trust
- Inter-Site Topology Generator
- Knowledge Consistency Checker
- name suffix
- object identifier (OID)
- one-way trust
- Remote Procedure Call (RPC)
- Schema Admins group
- shortcut trust
- Simple Mail Transfer Protocol (SMTP)
- site link
- site link bridge
- site link cost
- transitive trust
- trust relationship
- two-way trust
- update sequence number (USN)
- UPN suffix