Trees, Forests and Trusts

PRACTICE ! PRACTICE ! PRACTICE !

So far we've discussed how to handle a Single Domain, the role of Domain Controller and how it joins Computers, Servers and Users

But these days no companies maintain thier buisness with a Single Domain, so there must be some additional needs to push them by having more than one !

Trees

Active Directory supports integrating multiple domains so that you can partition your network into units that can be managed separately

If suppose we have two domains that share the same namespace (xbersec.local ), those domains can be joined into a Tree

If our xbersec.local domain was split into two subdomains for UK and INDIA branches, we could build a tree with a root domain of xbersec.local and two subdomains called uk.xbersec.local and in.xbersec.local, each with its AD, Computers and Users

A new security group needs to be introduced when talking about trees and forests - Enterprise Admins

This group will grant a user administrative privileges over all of an enterprise's domains

  • Each domain would still have its own Domain Admins with administrator privileges over their single domains and the Enterprise Admins who can control everything in the enterprise

Forests

For example, Suppose our company continues to grow big then we'll eventually acquire another company called say MHT Inc

  • When both the companies merge, we'll probably have different domain trees for each company, each managed by its own IT department

  • The union of several trees with different namespaces into the same network is known as a Forest

Trust Relationships

Having multiple domains organised in trees and forest allows us to have a nice compartmentalised network with respect to management and resources

  • But what if, a user at uk.thm.local wants to access a shared file in one of asia.mht.local servers

  • For this to happen, domains arranged in trees and forests are joined together by trust relationships

There are two kinds of trust relationships namely

  • one-way trust relationship

  • two-way trust relationship

In a One-way trust, if Domain AAA trusts Domain BBB, this means that a user on BBB can be authorised to access resources on AAA ( which can be a fileserver for an example )

In a Two-way trust, It can be made to allow both domains to mutually authorise users from the other

  • By default, joining several domains under a tree or a forest will form a two-way trust relationship :)

PreviousAuthentication MethodsNextEnumeration Techniques

Last updated