Domain Trusts – Easier than you think

Not a lot of us get to work with actually establishing a trust between Domains.  On the Enterprise it happens but in small Business it doesn’t really.  Unless you’re in that grey area of “Too big to be a little guy but not yet Enterprise”

If you’re in that area, you’re probably the “Lone Gunman” managing the network.  You might have a Test environment of your own (or thanks to Virtualization, be thinking of having one)

You might even be in a company just large enough that you merged (or became merged) into a larger Division.

One of the big problems you will encounter right off the bat, is you need to share resources at some level with the parent company, even as simple as accessing a website.

If there is no Trust established you’ll encounter issues much like you would in a normal peer to peer network, in which you must validate against the resource in question with credentials from that Domain.   If there is no trust in place, you must manage multiple accounts, permissions.   If something as simple as an inventory application needs to run, it can’t.   There is usually validation on some level.  And switching domains to using “Anonymous” and “Everyone” permissions is not only a BAD break fix, it will make you far more liable to viruses, hacks, attacks and breach many rules in compliance like SOX/PCI and other nasty Multi letter acronyms I just can’t memorize on a daily basis.

So you need a trust.   One way or two way?  Forest level or External? What will I get to do automatically?

These are questions that should roam through your head. But on the most basic level, HOW difficult is it to establish?

It isn’t.  As long as some prep work is done.

You should be able to resolve names to IP addresses, if there are firewalls separating the networks, appropriate ports should be opened, and If one party is setting up the Trust, proper credentials must be available in both domains with appropriate permissions.  

***KLUNK***

Oh you thought it was going to be a COMPLETE walk in the park? Well it isn’t horribly difficult, just a little prep work.  That’s all.  Relax. 😉

If you have two separate Domains on different networks, you should have at least some Conditional Forwarders or Replicated copies of the Foreign DNS domain.  Conditional Forwarders are simpler to setup and require far less changes in security as all they do is change the ending domain name (IE: office.abc.com) and FORWARD the request the the DNS servers for that Domain

You’ll need that on both sides

To establish the Actual Trust you’ll need to go into “Active Directory Domains and Trusts” off the Start menu.

See ? Easy!

Right click on the Domain in question that you need to establish a trust.  Choose “Properties”.  At this point you will see a tab marked “Trusts”.  Click on that.

Here’s where the fun starts! On the lower left hand side you will see a button marked “New Trust”, click on that to bring up the “New Trust Wizard”

image

Type in the NETBIOS name (ABC) or the FQDN (IE: ABC.CONTOSO.LOCAL or CONTOSO.LOCAL) of the Domain you are attempting to establish a trust with.

image

If your resolution is all good and the domain is recognized, you will now be prompted with one of two boxes.  Either one asking you for the type of Trust (One way Inbound, Two Way, or One way Outbound) OR

image

Next you will be asked on whether to create the trusts on BOTH domains or just yours.  If you have Administrative credentials in the other Domain you can complete the whole process now,  If not you can at least get it started.  

image

You will be asked for whether the authentication will be “Domain Wide” or “Selective” – Selective is good for two separate companies that need to share resources but need to be EXTREMELY meticulous as to how resources are granted.  Nothing assumed.   Domain Wide is little more open.  Say a company that has separate divisions within Different Active Directory environments that need to be joined.   

In both cases a password is required.  This is a trust password.  The “secret phrase” that is needed to create the link.  Make it a good passphrase and not something silly like “yeahthisisagoodtrustpassphrase”

Password must meet whatever password rules are presently in force on the two Domains.  Toughest Rule wins.  So if one of you has a minimum 53 character password with Full Complexity in force?  Sorry.  Password would have to meet THAT rule.

image

At this point you have the option of confirming the Trust is in place on the other side.    Without credentials on the foreign domain, you can at least confirm the outgoing trust. 

image

But to confirm that the incoming trust is working (that your buddy on the other side typed in the password correctly and FOLLOWED the step by step instructions) requires Administrative credentials from that domain.

image

In a click or two, you’ll be done.   Now one thing to keep in mind, once the trust is in place you SHOULD double check Share and NTFS permissions.   If any SHARE or NTFS permission has “Everyone” access (even ReadOnly) the “Everyone” group is Universal.

If you want Grant users from the “Foreign but Trusted” domain access to resources you now need to learn about using a “Domain Local” security Group.  You can add users from the Other Domain to a “Domain Local” security group in your domain and grant THAT group access.   But interestingly once you start going into Server 2008, you can add Foreign domain users to “Global” security groups.   This seems to be a feature of the newer Server 2008 Active Directory (which I find immensely cool!)

There’s an absolutely EXCELLENT article written by Daniel Petri that covers on a beautiful an in depth level all you would ever want to know or not know about Domains and Trusts and is WELL worth the read!

Technology, Embrace it and extend yourself

Sean
The Energized Tech

Leave a Reply