Posted by arlene

To support the concept of one username and one password throughout a collection of domains, the trust relationship is used to allow domains to share information contained in the security database. Without a trust relationship you would have to create a new user account in the database of each domain to which a user would need to have access. This would be sort of like the workgroup model, only on a larger scale using domains instead of individual computers.

When a user account is created in a domain, it is assigned a unique identifier, called an SID, which stands for security identification descriptor. If you create several accounts in different domains for a user, with the same logon username and password, the SID will not be the same from one domain to another. The user’s logon name is ordinary text, which is used for the convenience of humans who must remember it. The SID is the actual method that the network uses when identifying a particular user (and to identify the domain, which holds the user account) and deciphering what access that user is allowed, based on Access Control Lists (ACLs).

Because there should be only one username and password for any user throughout the network, no matter how many domains are created, a method is needed to allow a domain to recognize that a user has already been validated in another domain. If this can be communicated between domains, it becomes possible to simply trust a user if a domain trusts the domain from which the user comes.

A trust relationship is created when an administrator from one domain uses the User Manager for Domains utility to create a specific relationship with another domain. For example, if domain A has a trust relationship whereby it trusts the users in domain B, then the administrator of domain A can grant access to resources in domain A to users who reside in domain B. A trust relationship, however, is a one-way street. So this example does not give users in domain A access to resources in domain B.

For users in both domains to have access to resources in both domains, the administrators of each domain must create two trust relationships.

Creating a Trust Relationship

The domain administrator uses the User Manager for Domains utility to create trust relationships. To start the utility, select Start, Programs, Administrative Tools, and finally User Manager for Domains.

To create a trust relationship the administrator in both domains will have to run the utility and enter the other domain’s name into the list of domains it trusts or is trusted by. To bring up the dialog box that is used to accomplish this task, select the Policies menu at the top of the utility and select Trust Relationships.

The order in which a trust relationship is established is important. The administrator of the domain that will be trusted should run the utility first to add the name of the domain that will trust his domain. To do this, click the Add button next to the Trusting Domains list. The Add Trusted. Domain dialog box appears. Here you enter the name of the domain that will trust your domain, and an optional password, and click OK.

The administrator of the domain that will trust this domain must perform the same function, this time clicking the Add button next to the Trusted Domains list. In the Add Trusted Domain dialog box, the administrator will put the name of the domain it will trust and then the same password that was entered by the administrator of the trusted domain.

Although the password is optional, you should always use one. The password is not used later by domain controllers that are performing pass-through authentication. It is used only to verify both ends of this process of creating the trust relationship. After the trust relationship has been established, the domain controllers will use SID information to validate each other.

After the trusting domain has entered the correct password, a message is displayed indicating that the trust relationship was set up. Each administrator then sees the other domain listed in the trusted or trusting section of the Trust Relationships dialog box. If you have a network that has multiple domains and a large number of administrators, from a security viewpoint, it is a good idea to regularly check this dialog box to be sure that the trusts you expect to exist are there and that no others have been added. Remember that a trust relationship gives a user with administrative privileges the capability to grant rights and privileges to users outside your domain. This is a very powerful capability.

Again, remember that each trust relationship under Windows NT 4.0 is unidirectional. If you want both domains to allow users from the other domain to access resources in each domain, you will have to repeat the process and create two trust relationships between the two domains.

When it becomes necessary to remove a trust relationship, all you have to do is select the domain from either the trusted or trusting domains lists in the dialog box and click the Remove button.

Domain Controllers

The domain controller is a computer that holds a copy of the SAM. Domain controllers authenticate users when they log on to the network. In Windows NT there are two kinds of domain controllers:

• Primary Domain Controller (PDC)—This type of domain controller is where the master copy of the SAM resides for the domain. Updates to the SAM can be made only on the PDC, which then propagates the changes to the other domain controllers. Because there can be only one master copy of the domain’s SAM, there can be only one PDC in any given domain.

• Backup Domain Controller (BDC)—This domain controller holds a copy of the SAM and receives updates to this copy via replication from the PDC. A BDC can authenticate users, but changes to the SAM must be done on the PDC. Because the BDC holds a copy of the SAM, there can be multiple BDCs in the network. BDCs are usually used to offload processing from a busy PDC, provide quick network access to the SAM in network segments that are distanced from the PDC, or provide for fault-tolerance so that users can still log on to the network when the PDC becomes unavailable.

Only a Windows NT Server computer can be used to create a domain controller, and this must be done during the initial installation of the operating system. Without a complete reinstallation of the operating system, Windows NT Servers that are installed as ordinary “member servers” cannot be upgraded later to become a PDC. Nor can a domain controller be downgraded to a standard member server without a complete reinstall. Windows NT Workstation computers cannot be used as domain controllers in any fashion. However, a Windows NT Workstation has its own local SAM database that can be used to allow users to log on to the local workstation, but not the network. This can be usefulin small networks in which a domain controller is not necessary. However, in such a situation, if a user needs to access resources on more than one workstation, the user must have a user account oneach workstation to which it needs access.

Possibly related posts: (automatically generated)
Inter-domain Trust Relationships

• What Is a Domain Tree? What Is a Forest?
• What Is a Domain Tree? What Is a Forest? continue...
• Windows NT Domain Controllers and Member Servers
• Windows NT Domain Models
• The Active Directory and Dynamic DNS continue...
• Active Directory Groups
• Primary, Secondary, and Caching-Only Name Servers
• Sender Authentication Systems
• Installing Active Directory on a Windows Server 2003 Computer
• What Role Will Your Server Perform?