Learn AD in 15 Minutes a Week: Active Directory Logical Architecture

Tuesday May 7th 2002 by ServerWatch Staff
Share:

Jason Zandri's third article in the Learn Active Directory Design and Administration in 15 Minutes a Week takes a look at the Active Directory Logical Architecture and specifically Forests and Trees and the Trust Relationships between them.

by Jason Zandri
www.2000trainers.com

Welcome to the third installment of Learn Active Directory Design and Administration in 15 Minutes a Week, a weekly series aimed at current IT professionals preparing to write the new Windows Active Directory Design and Administration exams (70-219 and 70-217 respectively), as well as newcomers to the field who are trying to get a solid grasp on this new and emerging directory service from Microsoft. This week's topic is the Active Directory Logical Architecture, specifically, Forests and Trees and the Trust Relationships between them.

Active Directory Logical Architecture

As you make preparations for the installation of your first Windows 2000 Domain Controller into your environment, whether that be a pristine new forest or into an existing domain, you need to have a solid understanding of all the different parts that make up the Windows 2000 Active Directory.

Forests

By definition, the Windows 2000 Active Directory forest is the collection of one or more Microsoft Windows 2000 domains that share a common schema, configuration, and global catalog.

This is not true of the domain namespace of the domain trees in the forest. If there is a single tree in the forest, it will have a common domain namespace. Since there can be more than one domain tree in a forest (it is not a requirement, but it is allowed) these different domain trees will have their own individual contiguous namespaces.

All of the domains in a domain tree and all of the trees in a single forest have the connectivity benefit of the two-way, transitive trust relationship, which is the default trust relationship between Windows 2000 domains. A two-way, transitive trust, by definition, is really the combination of a transitive trust and a two-way trust. This complete trust between all domains in an Active Directory domain hierarchy helps to form the forest as a single unit via its common schema, configuration, and global catalog.

The first Windows 2000 domain installed in the forest is considered to be the forest root domain.

[NOTES FROM THE FIELD] - Much of this information is an Exam Requirement for both the 70-217 AND the 70-219 exams. Some would argue it is more so for the 217 and I would agree, but if you do not have the underpinnings from the Administration pieces of 70-217, you'll be hard pressed to pull off the Design requirements for 70-219.


Trees

By definition, a Windows 2000 Active Directory domain tree is a set of Windows 2000 domains connected together via a two-way transitive trust, sharing a common schema, configuration, and global catalog.

In order to be considered a true Windows 2000 domain tree, the domains must form a contiguous hierarchical namespace with one domain being the domain root.

The first Windows 2000 domain installed in a tree is considered to be the root domain of that tree. It would only be considered the forest root domain if it was also the first domain in the forest.

Let's say that zandri.net is the first Windows 2000 domain in a pristine forest. This would make zandri.net the first Windows 2000 domain installed in the forest and as such it would be considered as the forest root domain. Since it is also the first Windows 2000 domain installed in this tree, it is considered to be the root domain of the tree zandri.net tree.

[NOTES FROM THE FIELD] - A single domain, where there is but a single domain in a tree is called a standalone domain tree. That single tree constitutes a forest of one tree.

After the zandri.net domain has been deployed, a child domain called data.zandri.net is then created as well as sales.zandri.net. Since these two new domains are children of the parent, zandri.net, they would be located below it in the hierarchy and it would appear as it does below, with the zandri.net domain at the top.



If we were to then create a new domain tree called madison.net and two child trees of sales.madison.net and data.madison.net, the forest structure would look something like this:



The root of the whole forest would be zandri.net (zandri.net is also the root of the entire zandri.net tree) and the root of the second tree would be madison.net (madison.net would be only the root of the madison tree). The child domains of sales.madison.net and data.madison.net would be directly below madison.net in the hierarchy.

Trust Relationships

All of the domains in a domain tree and all of the trees in a single forest have the connectivity benefit of the two-way, transitive trust relationship, which is the default trust relationship between Windows 2000 domains. A two-way, transitive trust by definition is really the combination of a transitive trust and a two-way trust. This complete trust between all domains in an Active Directory domain hierarchy helps to form the forest as a single unit via its common schema, configuration, and global catalog.

Transitive trusts are a relationship that extends from one domain to the next, to the next and so on. In the above example, data.zandri.net indirectly trusts sales.zandri.net because the trust relationship travels from data.zandri.net to zandri.net to sales.zandri.net. Because data.zandri.net to zandri.net is a direct trust and zandri.net to sales.zandri.net is a direct trust and all trusts in a Windows 2000 Active Directory are transitive by default, data.zandri.net indirectly trusts sales.zandri.net.

This is also the same relationship of data.zandri.net to sales.madison.net. Since they are all in the same forest and connected by a common schema, configuration, and global catalog and the fact that all Windows 2000 Active Directory are transitive by default, the following is true:

Since data.zandri.net directly trusts zandri.net and zandri.net directly trusts madison.net and madison.net directly trusts sales.madison.net then data.zandri.net indirectly trusts sales.madison.net.

A two-way trust can be simply looked at as two one-way trusts between two domains. When zandri.net trusts data.zandri.net this is a one-way trust. When data.zandri.net trusts zandri.net this is another one-way trust. It is considered two way because each trusts the other in the same reverse manner that they are trusted.

This would also be where zandri.net trusts madison.net and madison.net trusts zandri.net. Since these two domain trees are in the same forest, they each trust the other and all of their child domains (two way and transitively).

Again, all of the domains in a domain tree and all of the trees in a single forest have the connectivity benefit of the two-way, transitive trust relationships, which are the default trust relationships between Windows 2000 domains.

This IS NOT true of domains and domain trees OUTSIDE of the forest. (This is referred to as an External trust.)

For example, if zandri.net were corroborating a project with 2000trainers.com, where users in the zandri.net Windows 2000 domain needed access to resources within the 2000trainers.com Windows 2000 domain, the domain administrator for 2000trainers.com would have to manually set up a trust relationship with zandri.net where 2000trainers.com trusted zandri.net so that users in zandri.net could gain access to the resources they needed. This would not give users in 2000trainers.com access to any resources in zandri.net, as the manual setup of a one-way trust does not automatically allow for the "reverse" one-way trust, making zandri.net trust the users of 2000trainers.com.

Also, the trust is in no way transitive. If there was a child domain of 2000trainers.com called forums.2000trainers.com, users of zandri.net do not gain access to any of the resources there, even though those resources might be included in the common schema, configuration, and global catalog of the 2000trainers.com Active Directory. The trust that exists is only between 2000trainers.com and zandri.net alone, and it has been set in this example so that only users in zandri.net can access resources in the 2000trainers.com domain. If access to resources in the forums.2000trainers.com Windows 2000 domain by those same zandri.net Windows 2000 domain users is necessary, then another one-way, external, non-transitive trust would need to be established.

External trusts can be created between different Windows 2000 forests or to a Windows NT domain (sometimes called a down-level domain) or a Kerberos version 5 realm.

You can combine two one-way trusts to create a two-way trust relationship, where 2000trainers.com trusts zandri.net and zandri.net trusts 2000trainers.com, however, even these are NOT TRANSITIVE, since they are from different Windows 2000 Active Directory forests.

[NOTES FROM THE FIELD] -  This subject matter is HEAVILY tested upon in both the 70-217 AND the 70-219 exams. In other words, you need to know this information better than you know your spouse and/or siblings.


Well, that wraps up the first section of my Windows 2000 Active Directory Logical Architecture article. I hope you found it informative and will return for the next installment.

If you have any questions, comments or even constructive criticism, please feel free to drop me a note.

I want to write good, solid technical articles that appeal to a large range of readers and skill levels and I can only be sure of that through your feedback.

Next week, I plan to continue with my detailed Introduction to Active Directory column with more on the Windows 2000 Active Directory Logical Architecture by entering into sections relating to Domains, Organizational Units and the Global Catalog.

Until then, best of luck in your studies.


"Security isn't about risk avoidance, it's about risk management."


Jason Zandri
Jason@Zandri.net

www.2000trainers.com


Share:
Mobile Site | Full Site
Copyright 2017 © QuinStreet Inc. All Rights Reserved