Professional Windows Server 1002003 Security A Technical Reference [Electronic resources] نسخه متنی

Trusts are managed using the Active Directory Domains and Trusts
console, which is discussed under

Site earlier
in this chapter. The following procedures assume that you have this
console open.

Create an External Trust

External trusts are one-way

trusts in
which a trusting domain trusts a trusted domain. Before you create a
one-way trust, you need to decide which domain is the trusting domain
and which is the trusted one. The trusting domain typically contains
the shared resources that need to be accessed, while the trusted one
contains the user accounts that need to access these resources.

Create an External Trust Within a Forest

To create a one-way external trust between two domains in the same
forest:

Right-click on trusted domain Properties Trusts New Trust specify DNS or NetBIOS name of trusting domain One-way incoming Both this domain and the specified domain specify administrator credentials

To create a two-way external trust between two domains in the same
forest:

Right-click on trusted domain Properties Trusts New Trust specify DNS or NetBIOS name of trusting domain Two-way Both this domain and the specified domain specify administrator credentials

Create an External Trust Between Forests

To create a one-way external trust between two domains in different
forests, first start in the forest where the trusted domain resides
and do this:

Right-click on trusted domain Properties Trusts New Trust specify DNS or NetBIOS name of trusting domain One-way incoming This domain only (specify a password for the trust)

Now go to the other forest and do this:

Right-click on trusted domain Properties Trusts New Trust specify DNS or NetBIOS name of trusted domain One-way outgoing This domain only (specify same password as above for the trust) specify level of access to grant users in the trusted domain for resources in the trusting domain

To create two-way trusts, simply create two one-way trusts in
opposite directions.

Create a Cross-Forest Trust

To create a cross-forest trust between two forests, first either make
sure DNS servers in each forest can resolve the name of the other
forest or ensure NetBIOS is enabled so you can specify the NetBIOS
name of the forest instead of its DNS name. Then do this:

Right-click on a domain Properties Trusts New Trust specify DNS or NetBIOS name of trusting forest continue as previously for Create an External Trust Between Forests

Create an External Trust to a Kerberos v5 Realm

You can also create one-way trusts with non-Windows Kerberos realms
by:

Right-click on trusted domain Properties Trusts New Trust specify name of trusting realm Realm trust Transitive | Non-transitive One-way incoming specify a password for the trust

Then go to the Kerberos realm and create the other end of the trust
using the same password.

Verify a Trust

Right-click on a domain Properties Trusts select a trusted or trusting domain Edit Verify

If the trust is working, a

dialog
box will confirm this. If the trust has failed, a series of dialog
boxes will lead you through the process of reestablishing the trust
relationship between the domains. You can verify both implicit
(transitive) and explicit (external or shortcut) trusts this way.

Revoke an External Trust

Right-click on the trusted or trusting domain Properties Trusts select trusted or trusting domain Remove

You can't revoke the implicit

two-way
transitive trusts that are created and maintained automatically by
Active Directory; you can revoke only external trusts that you have
explicitly created.