Learn how to use the Active Directory Domains And Trusts Console.
It's a fairly good bet that you're familiar, at least to some degree, with domains and trust relationships. Both of these topics are tied directly to Active Directory, which serves as the core depository for a broad range of information in Windows 2000 Server and Windows Server 2003. There are several tools included Windows Server to help manage Active Directory in all of its aspects. In this Guided Tour, I'll take you through the ins and outs of Active Directory Domains And Trusts Console, tell you what it's for and how to use it to manage domains and trust relationships.
What's it for?
Before I dive into the Active Directory Domains And Trusts Console, let's take a look at Active Directory, domains, and trusts so you'll have a good background in what the console is designed to manage.
Active Directory serves as a repository for lots of information in Windows 2000 Server and Windows Server 2003: users and groups, DNS zones, shared printers, domains, trust relationships, and lots more. When you set up a new domain, you do so by installing Active Directory on a server, which turns that server into a domain controller. In a small organization, you might have a single domain. In larger organizations, multiple domains are very common to separate departments, divisions, or even separate resources from users.
Domains are structured into trees and forests. A domain tree is a collection of related domains. A domain forest is a collection of related domain trees. When multiple domains come into play, the concept of trust relationships also comes into play. A trust relationship allows one domain to trust another for authentication. If domain A trusts domain B, for example, a user from domain B can access resources in domain A if given the necessary access permissions. In a Windows 2000 or later domain forest, all trust relationships are transitive and two-way. A transitive trust is one that flows from one domain to another. For example, if A trusts B and B trusts C, then A trusts C. A two-way trust is one that flows both ways between two domains. For example, A trusts B and B trusts A. What's more, trusts in Windows 2000 and later are automatic—you don't need to configure trust between a parent and child domain because Windows Server sets up trust implicitly.
Finally, consider the question of forest trust. You can create trust relationships between disjoined domain forests to allow domains in one forest to trust domains in the other. In two-way transitive forest trusts, all domains in each forest trust all the domains in the other forest. Forest trusts offer several benefits in large organizations, simplifying administration and authentication.
With all this in mind, what purpose does the Active Directory Domains And Trusts Console serve? First and perhaps foremost, the console lets you manage trust relationships between domains and forests. The console also enables you to set domain and forest functional levels, as well as administer user principal name (UPN) suffixes.
The Active Directory Domains And Trusts Console doesn't offer the same level of functions as the Active Directory Users And Computers Console, but that's simply because there are not as many tasks that can be performed globally on domains as within a domain. In general, the Active Directory Domains And Trusts Console lets you accomplish the following tasks:
- Raise domain functional level. A Windows Server 2003 domain can function in one of four modes, including Windows 2000 Mixed, Windows 2000 Native, Windows Server 2003 Interim, and Windows Server 2003. I explained these modes in "Understanding mixed and native modes in Windows Server 2003."
- Raise forest functional level. Windows Server 2003 supports three forest functional levels, each offering increasing levels of capability. These levels include Windows 2000, Windows Server 2003 Interim, and Windows Server 2003. For example, when all domain controllers in a domain are running Windows Server 2003 and each domain has been raised to Windows Server 2003 mode, you can raise the functional level for that domain forest to Windows Server 2003.
- Add UPN suffixes. In a Windows 2000 or later domain, users can log on with the UPN associated with their accounts. A UPN takes the form user@upnsuffix, such as email@example.com. Users can also log on with the pre-Windows 2000 user logon name, which in this example would likely be jim (but would not have to be). The UPN suffix generally identifies the domain in which the account resides, but can be the domain DNS name, the DNS name of another domain in the forest, or an alternative suffix created by the domain administrator solely for the purpose of logon.
- Manage domain trust. There are several tasks you can perform with the console, including verifying or removing a trust and creating shortcut, realm, and external trusts. I'll explain these trust types later.
- Manage forest trust. You can accomplish several tasks related to forest trust, including creating a forest trust and managing routing for specific name suffixes.
At first glance the Active Directory Domains And Trusts Console might seem to offer little in the way of functionality, but there's actually quite a bit going on. Let's look under the hood.
Touring the Active Directory Domains And Trusts Console
To start the Active Directory Domains And Trusts Console, click Start | All Programs | Administrative Tools | Active Directory Domains And Trusts. When you first open the console, you see a relatively simple display (Figure A) that lists the local domain and its child domains, if any.
|The Active Directory Domains And Trusts Console presents a simple interface for managing domains, forests, and trusts.|
The Active Directory Domains And Trusts Console is a standard Microsoft Management Console (MMC) with the usual layout and elements. The left pane shows the domain list and the right pane shows objects, such as trusts, associated with the selected domain.
The Active Directory Domains And Trusts Console includes four menu items:
- File. Use the File menu to exit the console. You can also choose Options from the File menu to open a dialog box that lets you delete the files that store the changes you make to the console. You can't actually set any options for the console through the File menu, however.
- Action. The Action menu's contents changes according to the object selected in the console. With the Active Directory Domains And Trusts branch selected, you can connect to a domain controller, view or change the domain naming operations master (which ensures that domain names are unique), and raise the forest functional level. You can also refresh the view and export the domain list in a handful of delimited text formats. Choosing Properties from the Actions menu lets you add alternate UPN suffixes. You can also open Help from this menu. When you select a domain, you can choose Action | Manage to open the Active Directory Users And Computers Console focused on the selected domain. Selecting the Properties menu with a domain selected enables you to view properties for the domain, manage trusts, and specify the user or contact responsible for managing the domain.
- View. Use the View menu to add or remove columns in the right pane or choose the view mode (small icons, large icons, list, or details). You can also customize the view by adding or removing interface elements such as the toolbar, status bar, Taskpad navigation tabs, and other elements.
- Help. As with other MMC consoles, use this menu to access the Help content for the Active Directory Domains And Trusts Console as well as the general MMC Help content. Help also displays the Group Policy Help content.
Like most Windows applications, the Active Directory Domains And Trusts Console includes a toolbar by default. The toolbar contains the following buttons:
- Back. Navigate back through the console.
- Forward. Navigate forward through the console.
- Up One Level. Move to the next higher level in the tree; available only when a domain is selected.
- Show/Hide Console Tree. Show or hide the left tree pane.
- Properties. Open the properties for the selected item.
- Refresh. Refresh the current view; available only when the Domains And Trusts branch is selected.
- Export List. Export the selected objects as a delimited list.
- Help. Open the Help content.
As you probably expect, the console offers a context menu when you right-click on an item in the console tree pane. The commands in the context menu correspond to the menu items in the Action menu when the same item is selected. The context menu also adds the contents of the View menu as a cascading menu item.
Working at the Domains And Trusts level
There are several tasks you can accomplish with the Active Directory Domains And Trusts Console at Active Directory Domains And Trusts level. I won't cover mundane tasks like refreshing or customizing the view, but instead will focus on domain and forest management tasks:
Connecting to a domain controller
As you're working with the Active Directory Domains And Trusts Console—particularly when working from an administrative workstation—it's likely that you'll need to change the focus of the console. You do so by connecting to a specific domain controller (DC). To do so, click the Active Directory Domains And Trusts branch and choose Action | Connect To Domain Controller. Or, simply right-click the Active Directory Domains And Trusts branch and choose Connect To Domain Controller.
The console displays the Connect To Domain Controller dialog box (Figure B). Enter the domain name manually or click Browse to browse for the domain. After you select the domain, its domain controllers appear in the bottom half of the dialog box. Choose the option Any Writable Domain Controller if you don't need to work with a specific DC in the domain. Otherwise, select the DC from the list. Then click OK.
|Use the Connect To Domain Controller dialog box to switch focus to a specific domain or DC.|
Setting the operations master
The domain-naming operations master ensures that all domains in the enterprise are named uniquely. Only one computer in the enterprise functions as the operations master. By default the operations master is the first domain controller created. For a variety of reasons you might want to move the role of operations master to a different DC. To do so, open the Active Directory Domains And Trusts Console and click the Active Directory Domains And Trusts branch. Choose Action | Connect To Domain Controller. Browse to and select the DC that will become the operations master and click OK. Choose Action | Operations Master or right-click the branch and choose Operations Master from the context menu. In the Change Operations Master dialog box (Figure C), click Change.
|Browse for a domain controller in the Connect To Domain Controller dialog box.|
Raising the forest functional level
As I mentioned earlier in this article, you can raise the forest functional level if all domain controllers in the forest have been raised to the Windows Server 2003 level. To raise the forest functional level, click the Active Directory Domains And Trusts branch and choose Action | Raise Forest Functional Level. If all domains in the forest have been raised to the Windows Server 2003 level, the console displays the Raise Forest Functional Level dialog box shown in Figure D.
|Use the Raise Forest Functional Level dialog box to raise the forest functional level.|
If the domains in the forest have not all been raised to the Windows Server 2003 level, you'll see the error dialog box shown in Figure E.
|The console displays this error if the functional level can't be raised.|
Adding UPN Suffixes
When you create a domain, Windows offers the name of the root domain and the current domain as the default UPN suffixes. Users can log on with the UPN, such as firstname.lastname@example.org, or with the pre-Windows 2000 logon name, such as jim. In some situations you might want to add other UPN suffixes. For example, maybe your logon domain is boyce.local, but all user e-mail goes to addresses at boyce.us. To help users remember their UPNs, you decide to add the UPN suffix boyce.us to the domain. You can do just that with the Active Directory Domains And Trusts Console.
Open the console, click the Active Directory Domains And Trusts branch, and choose Action, then Properties to open the UPN Suffixes tab shown in Figure F. Click in the Alternative UPN Suffixes box and type the suffix to add (such as boyce.us) and click Add. Repeat the process to add other UPN suffixes to the forest.
|Add UPN suffixes through the UPN Suffixes tab.|
Working at the domain level
Some of the tasks you can perform at the domain level with the Active Directory Domains And Trusts Console are similar to those you can perform at the forest level. You can also perform some additional tasks, such as managing trusts.
Managing the domain
When you're working with the local domain, it's a simple matter to open the Active Directory Users And Computers Console, which opens focused on the local domain. When you're working with this console, however, it's likely that you'll be working with other domains. When you need to manage objects in those domains and already have opened the Active Directory Domains And Trusts Console, it's often easier to open and manage the domain from there. To manage a domain, click the domain in the console tree and choose Action, then Manage. The Active Directory Users And Computers Console opens focused on the selected domain (Figure G).
|You can quickly access the Active Directory Users And Computers Console for a domain to manage its objects.|
Viewing and setting general properties
There is only one general property you can set for a domain through the Active Directory Domains And Trusts Console: a description of the domain. The description appears in the console when you open the properties for the domain. The description can help you identify the purpose for the domain or keep track of other helpful information. To set the description, click the domain and then choose Action | Properties. Click the Description field (Figure H) and type the description. The dialog box also shows other information, such as the domain functional level, forest functional level, and pre-Windows 2000 domain name.
|You can view general information and set a description for a domain.|
One of the key tasks you'll perform with the Active Directory Domains And Trusts Console is managing trust relationships between domains and forests. For example, you can verify the trust relationship between domains. To do so, click the domain that contains the trust you want to verify and choose Action, then Properties. Click the Trusts tab (Figure I) and click the trust you want to verify. Click Properties to open the properties for the trust. This dialog box (Figure J) shows the trust direction and transitivity, and also enables you to validate the trust.
|Use the Trusts tab to view all current trust relationships.|
|Use the trust property sheet to view information about the trust.|
When you click Validate, the console opens the Active Directory dialog box shown in Figure K. Select Yes | Validate The Incoming Trust if you want to validate the trust relationship from the other domain. Choose No (the default) if you only want to validate the outgoing trust. If you choose Yes, click in the User Name field and type the user name of an account with privileges in the local domain, enter the corresponding password, and click OK. The console then displays an informational dialog box that indicates the trust status.
|Choose between validating only the outgoing trust and validating in both directions.|
You can also use the Trusts tab to add new trust relationships. You can create the following trust types:
- Shortcut trust. This is a trust between two non-adjacent domains in the same forest. Shortcut trusts can help improve logon time. They can be one-way or two-way and are transitive.
- Realm trust. A realm trust enables you to create a trust between a non-Windows Kerberos realm and a Windows Server 2003 domain. They can be one-way or two-way, transitive or non-transitive.
- External trust. This type of trust connects a Windows Server 2003 domain with a Windows NT domain or a domain in another forest for which there is no forest trust. External trusts can be one-way or two-way and are non-transitive.
- Forest trust. Use this trust type to enable resource sharing between forests. Forest trusts can be one-way or two-way and are transitive.
When you click New Trust on the Trusts tab, the Active Directory Domains And Trusts Console starts the New Trust Wizard. After you click Next to get past the obligatory splash page, the wizard prompts for the name of the domain, forest, or realm (Figure L). If the wizard doesn't recognize the specified name as a valid Windows domain, it displays the Trust Type page shown in Figure M, which enables you to choose between a realm trust and a Windows domain and enter a different name for the domain.
|Specify the name of the domain in the New Trust Wizard.|
|The wizard prompts you to choose a trust type if it doesn't recognize the specified domain name.|
If you specify a domain that is the root of an external forest, the console gives you the option of creating a forest trust or an external trust (Figure N). You can create a forest trust only if the local forest level has been raised to Windows Server 2003. In fact, if the forest level has not been raised, the console automatically treats the trust as an external trust and does not display the dialog. If you specify a domain below the root of the remote forest, the console also treats the trust as an external trust.
|Choose between a forest trust and external trust.|
Next, the wizard prompts for the trust direction on the Direction Of Trust page (Figure O). Then, you specify where the trust is created, whether locally only or also in the remote domain (Figure P).
|Choose the direction of trust for the trust relationship.|
|Choose whether to create the trust locally only or also in the remote domain.|
Next, you specify the scope of authentication for the trust (Figure Q). Choose Domain-Wide Authentication if you want Windows to automatically authenticate users from the remote domain for all resources in the local domain. Choose Selected Authentication if you want to grant permissions individually for users in the remote domain to local resources. (You can change the scope of authentication after creating the trust—open the properties for the trust and click the Authentication tab, then choose the desired scope.)
|Choose the scope of authentication for the trust relationship.|
After you choose the scope of authentication and click Next, you enter and confirm a password that Windows uses to validate creation of the trust. After a confirmation page, the wizard creates the trust, then gives you the option of confirming the trust (Figure R). If you created a two-way trust, the console gives you the option of confirming trust in both directions.
|You can confirm the trust after creating it with the wizard.|
Managing name suffix routing
When you work with a forest trust, one issue to consider is name suffix routing between forests. Name suffix routing enables authentication requests to be routed to other domains. You'll find a good summary of name suffix routing, name suffix collision detection, and related topics in Active Directory Domains And Trusts/Concepts/Understanding Active Directory Domains And Trusts/Understanding Trusts/Routing Name Suffixes Across Forests topic in the Help content for the Active Directory Domains And Trusts Console.
When you're ready to configure name suffix routing, open the Active Directory Domains And Trusts Console and click the root domain of the forest. Choose Action | Properties and click the Trusts tab. Click the forest trust in the trust list and click Properties, then click the Name Suffix Routing tab (Figure S). Here you can enable or disable specific name suffixes for routing.
|You can manage name suffix routing with the Active Directory Domains And Trusts Console.|
You can also explicitly exclude name suffixes from routing to a local forest. Click the name suffix in the list and click Edit to open the Edit dialog box. Click Add, type the suffix, and click OK. In the Edit dialog box you can also change the routing status of a name suffix.