If you are an experienced Active Directory or Windows NT administrator on anything but a small network, you no doubt have at least some background in trust relationships. However, if you’ve only recently moved from NT to Windows Server, or are moving up to Windows Server 2003, there are some new concepts to understand before you can successfully design a complex Active Directory structure. To help you get started I’ll explain trust relationships and functional levels for both the domain and forest levels. Both are topics that you’ll be pressed to learn if you are moving up from Windows NT or even just moving from Windows 2000 Server to Windows Server 2003.
Configuring security in an environment with a single domain is a relatively easy process and generally only requires setting up some security groups, setting up user accounts, and optionally, setting up group policy for change control. As the network grows, structuring security and resource sharing can become more complex, particularly when multiple domains become necessary to provide adequate structure to the network. That’s when trust relationships come into play.
A trust relationship enables a domain to trust another domain for authentication. In a trust relationship, a trusting domain allows accounts in a trusted domain to authenticate in its domain. For example, assume that domain A trusts domain B. Domain A is the trusting domain and domain B is the trusted domain. Domain A will allow user accounts in domain B to be used to authenticate and access resources in domain A. Trust relationships like this one simplify domain and Active Directory structuring and management. In this example, you do not have to provide accounts in domain A to users in domain B and deal with the synchronization and management headaches that would entail.
In Windows NT, trust relationships are always one-way. Domain A trusts domain B, for example, but domain B does not trust domain A unless you create a trust relationship in that direction. In addition, Windows NT trusts are non-transitive, meaning the trust does not cross to adjacent domains. For example, assume that domain A trusts domain B and domain B trusts domain C. In Windows NT, domain A will not trust domain C because the trust relationships are non-transitive.
In Windows 2000 Server and Windows Server 2003, all trusts are transitive by default. Thus, if domain A trusts domain B and domain B trusts domain C, then domain A trusts domain C. However, access to resources in trusted domains doesn’t happen automatically. You must configure permissions for resources in the trusting domain to enable users in the trusted domain to access them.
Although all trust relationships accomplish essentially the same result—enabling one domain to trust another—different types of trust relationships do exist. You need to understand the role these trust relationships play before you can begin structuring a large network.
Windows Active Directory domains form a hierarchy of domain trees. The domain above another in a domain tree is the parent domain; the one below is the child domain. For example, in my domain boyce.us, the domain support.boyce.us would be a child domain, with boyce.us being the parent domain. When you create a new child domain in the Active Directory, that child domain automatically has a transitive trust relationship with its parent domain and vice-versa. Therefore, parent/child trusts are always two-way, transitive trusts.
The tree and forest analogy can confuse some Active Directory newcomers, at least until they realize that domain trees grow upside-down. The root domain resides at the logical top of the forest and the trees branch out underneath the root domain. Let’s use techrepublic.com as an example. Techrepublic.com is the first domain created and therefore serves as the root of the techrepublic.com forest. We then add two more domain trees; the first sales.techrepublic.com and the second support.techrepublic.com. The sales.techrepublic.com domain might have other domains in its tree, such as east.sales.techrepublic.com and west.sales.techrepublic.com.
A tree-root trust establishes trust between a domain tree and the forest root. Because these relationships are two-way and transitive, tree-root trusts ultimately enable one domain tree in a forest to trust another domain tree in a forest. For example, users in sales.techrepublic.com could access resources in support.techrepublic.com if they had the necessary permissions.
External and realm trusts
An external trust enables you to create trusts with Windows NT domains. You can also create external trusts with an Active Directory domain in another forest that is not connected by a forest trust. External trusts can be one-way or two-way, but are always non-transitive. When you create an external trust, security principals (user, group, computer, or service) in the external domain can access resources in the internal domain. In addition, domain local groups in the internal domain can contain security principals from the external domain.
A realm trust establishes a trust relationship to an external, non-Windows Kerberos v5 realm. Realm trusts support cross-platform authentication and resource sharing between Active Directory domains and UNIX-based security services. Realm trusts can be either transitive or non-transitive and can be either one-way or two-way.
A forest trust enables trust between a forest root domain in one forest and the forest root domain in another forest. A forest trust is transitive and can be either one-way or two-way. The transitivity of the forest trust is an important concept to understand because when the forest trust is in place, all domains in the trusted forest can access resources in all domains in the trusting forest, assuming the security principals have the necessary permissions in the target domains. In a two-way forest trust, this naturally goes both ways.
Although forest trusts are transitive between the forests joined by the trust, they are not transitive to other forests that also have forest trusts. For example, assume that you create a two-way forest trust between Forest A and Forest B. You also create a two-way forest trust between Forest B and Forest C. Domains in A can access resources in B, but they can’t access resources in C. Likewise, C can access B, but not A.
In a domain forest, authentication requests must follow a trust path between the source and destination domains. For example, an authentication request moves up the tree to the root domain, then down the other tree to the target domain. Shortcut trusts, which are transitive and can be either one-way or two-way, can speed up authentication between two domains in different trees of the same forest by providing a shortcut from one domain to the other. They are particularly useful when users in one domain frequently need to access resources in another domain in another tree. Rather than follow the entire trust path from one tree to the other, the authentication requests can take the shortcut directly from one domain to the other.
Domain functional levels
You might already know that Windows 2000 Server supports native and mixed modes for Active Directory. A Windows 2000 domain running in mixed mode can include Windows NT backup domain controllers, but a handful of features available in native mode are not available. These include universal security groups, group nesting, and SID history features. Changing a Windows 2000 domain to native mode enables these features but at the cost of no longer allowing Windows NT BDCs in the domain.
Windows Server 2003 introduces something similar in its domain functional levels. These modes include the following:
- Windows 2000 Mixed – This mode allows universal distribution groups, but not universal security groups. It also allows nesting of distribution groups but not security groups, with the exception of domain local security groups, which can contain global groups. Group conversion between group types is disabled, as is SID history. Windows NT 4.0, Windows 2000 Server, and Windows Server 2003 domain controllers are supported.
- Windows 2000 Native – This mode adds support for universal security groups, conversion between security and distribution groups, and full group nesting. It also enables SID history with support of migration of security principals from one domain to another. This mode supports Windows 2000 Server and Windows Server 2003 domain controllers.
- Windows Server 2003 Interim – This is an interim mode available only when upgrading Windows NT Server to Windows Server 2003. Interim mode provides improved replication and a handful of other features to facilitate domain migration to Windows Server 2003 Active Directory.
- Windows Server 2003 – You can consider this to be Windows Server 2003’s native mode. This mode adds support for the Domain Controller Rename tool, adds the lastLogonTimestamp attribute for user and computer accounts for logon tracking, and the capability to set the userPassword attribute for InetOrgPerson user objects as the effective password. This mode supports only Windows Server 2003 domain controllers.
Windows Server 2003 mode offers the best functionality. So, switching your network to Windows Server 2003 mode is worth the change, but moving to a different domain functional level means you leave some things behind. For example, moving from Windows 2000 Mixed mode to Windows 2000 Native mode means you lose support for Windows NT domain controllers—all existing Windows NT domain controllers must first be upgraded to either Windows 2000 Server or later, or removed from the network. What’s more, you can’t add an unsupported domain controller to a domain. Thus, you can’t add Windows NT domain controllers after the change.
Because of the domain functionality mode requirements, you should carefully analyze your existing domain and forest structure before you look at switching domain modes and take the steps needed to prepare the Active Directory for the change. For example, Windows NT domain controllers will have to be upgraded or replaced. To go to Window Server 2003 mode all domain controllers will have to be upgraded to Windows Server 2003. When the network is ready, you can use the Active Directory Domains and Trusts console to change the domain functional level.
Forest functional levels
In addition to domain functional levels, Windows Server 2003 also introduces three forest functional levels. These include:
- Windows 2000 – This mode supports Windows NT, Windows 2000 Server, and Windows Server 2003 domain controllers. It offers essentially the same features as Windows 2000 Server. Consequently, if all domain replication partners are running Windows Server 2003, this mode enables a handful of improvements to global catalog replication.
- Windows Server 2003 Interim – This mode is available only when migrating from Windows NT Server to Windows Server 2003.
- Windows Server 2003 – This mode offers several additional features not available in the other two modes including replication improvements, forest trusts, domain rename, defunct schema objects, linked value replication, dynamic auxiliary classes, and InetOrgPerson objectClass change. This mode requires that all domain controllers be running Windows Server 2003 in Windows Server 2003 domain mode.
The level you choose for your forest ultimately depends on the types of domain controllers in your network. Whether you choose to upgrade to Windows Server 2003 to gain the advantage of the features made possible in Windows Server 2003 forest functional level depends on a lot of factors, not least of all the cost involved in upgrading. Features such as forest trust, domain rename, and replication improvements are desirable for any organization with more than a few domains. The other features offered by Windows Server 2003 forest functional level can be equally useful in specific scenarios. To decide whether it’s worth the move or not, spend the time to investigate each of these features in detail. You’ll find an introduction to each one in the Active Directory Domains and Trusts Help content in the Concepts/Understanding Active Directory Domains and Trusts/Domain and Forest Functionality topic.
As when changing the domain functional level, there are requirements for moving to a higher forest functional level. For example, all domains in the forest must be running Windows Server 2003 functional level before you can move up to Windows Server 2003 forest function level.
Managing trusts and functional levels
As I mentioned earlier, Windows Server 2003 automatically creates some transitive trust relationships, such as between parent and child domains and related trees in the forest. If you need to manage forest trusts, add shortcut trusts, or manage trusts in other ways, the Active Directory Domains and Trusts console is the place to make it happen. You can also use the Domains and Trusts console to view and change domain and forest functional levels. To learn the ins and outs of this console, see the “TechRepublic Guided Tour: Active Directory Domains and Trusts Console” for more details.