لطفا منتظر باشید ...
Publisher| ForestConcepts |
of one or more trees joined together at their root domains by trusts.
Each tree consists of one or more domains arranged in hierarchical
fashion and also joined by trusts. All trees and domains in a forest
share a common schema, configuration, and global catalog.When you promote your first WS2003 domain controller, you
automatically create a forest with a single domain. This first domain
is the root domain of your first tree and the forest root domain of
your entire forest. When you create additional WS2003 domains, you
can choose whether to:
- Add the new domain to an existing tree of your forest
- Make the new domain the root domain of a new tree in your forest
- Create an entirely new forest
Namespace
While a tree has a
contiguous
DNS namespace, the namespace within a forest doesn't
have to be contiguous. The root domain of each tree in a forest must
have its own unique DNS name to identify it within the forest.
However, the forest itself is uniquely identified with respect to
other forests by the DNS name of its forest root domainthat
is, the DNS name of the first domain created in the forest. For
example, let's say that the Canadian company MTIT
Enterprises (whose DNS domain name is mtit.com )
decides to start a separate, worldwide operation called MTIT
Enterprises Worldwide, whose domain name will be different (e.g.,
mtitworld.com ). In this case the forest root
domain and the root domain of the first tree could be
mtit.com with subsidiaries
vancouver.mtit.com and
toronto.mtit.com , while the root domain of the
other tree would be mtitworld.com with
subsidiaries mexico.mtitworld.com ,
france.mtitworld.com , and so on.You mght implement a multiple-tree forest if your company were very
large and had multiple public identities. For example, you might
create a multiple-tree forest if your company has one or more
distinct subsidiaries in different locations or if your company and
another company have recently merged, established joint ventures, or
formed high-level partnerships. If two companies, which have already
implemented a multiple-tree forest, merge with each other, you can
now create transitive trusts between the roots of the two forests in
order to grant users in one forest access to resources in the other
forest. See Trusts later in this chapter for
more information.
Forest Functional Level
In WS2003 forests can be
configured to run in one of three
different functional levels:
- Windows 2000 (default for new forests)
Supports domain controillers running WS2003, W2K, and NT.- Windows Server 2003 interim
Supports domain controllers running WS2003 and NT. This is a special
domain functional level that exists only when you upgrade an NT-based
network directly to WS2003.- Windows Server 2003
Supports only domain controllers running WS2003.
By default, when you create a new forest its forest functional level
is W2K, which gives it the greatest degree of interoperability with
NT/2000 domain controllers. You can raise the forest functional level
to Windows Server 2003 if you have no more W2K domain controllers,
but you can't undo this operation afterward. When
you raise the forest functional level to Windows Server 2003, the
following additional features are supported to simplify the
administration of your network:
- Transitive trusts can be created between two forest roots so that all
domains in one forest can trust all domains in the other forest. - Per-value replication of attributes is enabled to reduce replication
traffic when groups are modified. - Deactivated schema classes and attributes can be redefined.
In addition, the new domain rename tool Rendom
can restructure forests running in the WS2003 forest functional
level.
Kerberos Authentication Within a Forest
When a user in one
domain
wants to access resources across a forest, the Kerberos v5
authentication protocol is used. Kerberos is a shared-secret
authentication protocol in which both the client requesting access
and a trusted intermediary called the Key Distribution Center (KDC)
both share knowledge of the user's password.
(Passwords are stored in Active Directory.) Kerberos thus uses mutual
authentication in which both the user and the network services
providing authentication must be mutually authenticated with each
other to proceed. Every WS2003 domain controller is configured to run
the Kerberos Key Distribution Center service and is thus a KDC.Kerberos is the default WS2003 authentication service. It is more
complex than NTLM (also called Challenge/Response or Windows
Integrated) authentication, which is the earlier authentication
protocol used by NT and which WS2003 uses for authenticating
downlevel (Windows NT/98/95) clients that don't have
the new Directory Services Client software installed on them. NTLM
stored password information in the SAM database and authenticated
only the client, not the network service providing authentication.As an example, let's say a user on a client computer
in vancouver.mtit.com wants to access resources
on a server in mexico.mtitworld.com , which is
part of the same forest. The process by which client authentication
occurs happens automatically and is completely transparent to the
user. Here is how it works (I've left out a few
steps for simplification).
- The client submits the user's credentials to the KDC
in its local domain, vancouver.mtit.com , to
receive a Kerberos session ticket. - The client presents the session ticket to the KDC in the root domain,
mtit.com , of the local tree, which then grants
the client a second session ticket for the root domain,
mtitworld.com , in the remote tree. - The client presents the second session ticket to the KDC in the
mtitworld.com domain, which then grants the
client a third session ticket for the
mexico.mtitworld.com domain in the remote tree. - The client finally presents the third session ticket to the KDC in
the mexico.mtitworld.com domain, which then
grants the client access to the shared resources on the server that
the client wants to access.
From this scenario you can see why it's good to try
to "flatten" your domains in WS2003
and use only a single domain if that is at all possible: the more
domains and trees you have in your enterprise, the more network
bandwidth will be consumed by Kerberos authentication traffic.
