Search This Blog

Wednesday, January 26, 2011

Setting up Cross Forest Trust between W2K3 R2 and W2K8 R2

Hi All,

Today we will be looking into Setting Up Cross Forest Trust between Top-level domains in two different forest. Before we start we need start we need to get some components in place so that we can successfully setup Cross Forest Trust.

Name Resolution : We must be able to resolve names across forest for that Purpose we need to setup our DNS so that it will be able resolve. There are multiple ways in which you can setup your DNS to do Name Resolution

1. Conditional Forwarders
2. Secondary Zone Transfers
3. Stub Zone

The benefit of using a conditional forwarder is that it is much easier to configure and troubleshoot than a zone transfer. The process of configuring a conditional forwarder is straightforward: all you need to know is the DNS domain name of the domain that houses the DNS server that you are configuring to forward requests and the IP address of the target DNS server.

However, a conditional forwarder is not an efficient way to keep a DNS server that hosts a parent zone aware of the authoritative DNS servers for a child zone. If you use a conditional forwarder, whenever the authoritative DNS servers for the child zone change, the conditional forwarder setting on the DNS server that hosts the parent zone must be configured manually with the IP address for each new authoritative DNS server for the child zone.

Using a secondary zone with zone transfers enabled is beneficial because this configuration maintains a list of all the authoritative DNS servers for the secondary copy of the zone, and the list is updated as DNS servers are added and removed from the target forest or domain. Secondary zones also host a full copy of the DNS zone.

The drawbacks to using secondary zones with zone transfers enabled are that this configuration is much more complicated to configure and maintain and you do not have the direct, point-to-point contact with a DNS server in the target forest or domain as you do with a conditional forwarder. In addition, with secondary zones you expose hosts to IP address mappings for all hosts in the zone. This can expose the domain or forest to security risks due to unauthorized access.

DNS Resource Records That Are Required for Secondary Zones

There are two DNS resource records that must be registered properly on the DNS server that hosts the secondary copy of the trusted domain or forest:

    * Service (SRV) resource record (_ldap._tcp.dc._msdcs.<computer account domain>)

    * Host (A) resource record

To test the name resolution use the following command
Nltest /dsgetdc:domainNameOfSpecifiedForest

Issue this command from target domain to check the name resolution.

There are other considerations like Firewall port opening at perimeter network to establish a cross forest trust.

Creating Forest Trust
Following are the types of Trust Relationship found

1. External Trust
2. Forest Trust
3. Relam Trust
4. Shortcut Trust
5. Tree-Root

I will not be going into creation of each Trust type however will provide you with common steps across all the trusts.
Lets say you manage IT Infra of Company A and Company B is acquired and a One way Trust needs to be created to access resources in Forest B (Domain B, Company B) however IT Functions are still not streamlined (you don't have access over IT resources) In that case you need to create One way Incoming Forest Trust and The other side has to create One Way Outgoing Trust before One way trust can fully work.

Authentication can be set to Forest Wide, Domain Wide and Selective Authentication. If you proceed with Selective Authentication that you need to give right "Allow user to be authenticated" on computer object of the server which you want to access. Forest Wide and Domain Wide are pretty much automated

 Trust can be transistive between two forest but that doesn't imply that it will be automatically transistive with another forest for example A Trust B Trust C and B Trust A that doesn't mean that A trust C. This is not true in case of forest trust.

To create a one-way, incoming, forest trust for one side of the trust

   1. Open Active Directory Domains and Trusts.
   2. In the console tree, right-click the domain node for the domain that you want to establish a trust with, and then click Properties.

   3. On the Trusts tab, click New Trust, and then click Next.
   4. On the Trust Name page, type the Domain Name System (DNS) name (or network basic input/output system (NetBIOS) name) of the domain, and then click Next.

   5. On the Trust Type page, click Forest trust, and then click Next.
   6. On the Direction of Trust page, click One-way: incoming, and then click Next.
      For more information about the selections that are available on the Direction of Trust page, see the section "Direction of Trust" in Appendix: New Trust Wizard Pages.

   7. On the Sides of Trust page, click This domain only, and then click Next.
      For more information about the selections that are available on the Sides of Trust page, see the section "Sides of Trust" in Appendix: New Trust Wizard Pages.

   8. On the Trust Password page, type the trust password twice, and then click Next.
   9. On the Trust Selections Complete page, review the results, and then click Next.
  10. On the Trust Creation Complete page, review the results, and then click Next.
  11. On the Confirm Incoming Trust page, do one of the following:
          * If you do not want to confirm this trust, click No, do not confirm the incoming trust.

          * If you want to confirm this trust, click Yes, confirm the incoming trust, and then supply the appropriate administrative credentials from the specified domain.

  12. On the Completing the New Trust Wizard page, click Finish.

Similary You can create One way outgoing trust from other side. Once created you can validate trusts using Active Directory domains and trusts.

If you have admin credentials for Forest/Domain B then you can create Two way Trust in one step.

For more info check the TechNet Link

1 comment:

  1. Hi Navdeep,

    Its nice of you to have shared what is almost a step-by-step guide on how to establish a cross-forest trust.

    We were in the process of evaluating the setup of a cross-forest trust ourselves, and were considering it from a security perspective.

    I thought you might find an ongoing discussion on the Security Implications of Establishing a Cross Forest Trust quite useful as well.

    Thanks for sharing. Nice post!