Trees, Forests and Trusts
PRACTICE ! PRACTICE ! PRACTICE !
Last updated
PRACTICE ! PRACTICE ! PRACTICE !
Last updated
So far we've discussed how to handle a Single Domain, the role of Domain Controller and how it joins Computers, Servers and Users
But these days no companies maintain thier buisness with a Single Domain, so there must be some additional needs to push them by having more than one !
Active Directory supports integrating multiple domains so that you can partition your network into units that can be managed separately
If suppose we have two domains that share the same namespace (
xbersec.local), those domains can be joined into a Tree
If our xbersec.local domain was split into two subdomains for UK and INDIA branches, we could build a tree with a root domain of xbersec.local and two subdomains called uk.xbersec.local and in.xbersec.local, each with its AD, Computers and Users
A new security group needs to be introduced when talking about trees and forests - Enterprise Admins
This group will grant a user administrative privileges over all of an enterprise's domains
Each domain would still have its own Domain Admins with administrator privileges over their single domains and the Enterprise Admins who can control everything in the enterprise
For example, Suppose our company continues to grow big then we'll eventually acquire another company called say MHT Inc
When both the companies merge, we'll probably have different domain trees for each company, each managed by its own IT department
The union of several trees with different namespaces into the same network is known as a Forest
Having multiple domains organised in trees and forest allows us to have a nice compartmentalised network with respect to management and resources
But what if, a user at uk.thm.local wants to access a shared file in one of asia.mht.local servers
For this to happen, domains arranged in trees and forests are joined together by trust relationships
There are two kinds of trust relationships namely
one-way trust relationship
two-way trust relationship
In a One-way trust, if Domain AAA trusts Domain BBB, this means that a user on BBB can be authorised to access resources on AAA ( which can be a fileserver for an example )
In a Two-way trust, It can be made to allow both domains to mutually authorise users from the other
By default, joining several domains under a tree or a forest will form a two-way trust relationship :)
