19 July, 2012

"Trust" - A Deeper Look Inside Active Directory

This Post Focuses on Trust.... What does it takes to "Trust" Someone... :)

Here, In this Lab, We have a Parent Domain (Parent.com - Obviously) and a Child Domain (No Point for guessing... Child.com)




Lets move into the sea of Active Directory.... The ADSIEDIT Snap-In....


We will discuss the various objects related to Trust in Active Directory. Lets browse to the "Domain Partition" -> CN=System

tustedDomain

Also known as a TDO (Trusted Domain Object), It is located at the following Location

<Domain Partition> --> CN=System --> CN=<Trusted Domain Name>


TDO consist of the following Information about a Trust:

1. trustAttributes
2. trustAuthIncoming
3. trustAuthOutgoing
4. trustDirection
5. trustPartner
6. trustPosixOffset
7. trustType

trustAttributes
The trustAttributes attribute contains the value of a trust relationship
0x00000001 - The trust is Non-Transitive
0x00000002 - The trust is valid only for Windows 2000 (and newer) computers
0x00000008 - Forest Trust
0x00000010 - Trust is to a domain or forest that is not part of the organization
0x00000020 - Trusted domain is within the same forest
0x00000040 - External Trust

trustAuthIncoming
This attribute specifies authentication information for the incoming portion of a trust

trustAuthOutgoing
This attribute specifies authentication information for the outgoing portion of a trust

trustDirection
Disabled          0x00000000
Inbound           0x00000001
Outbound        0x00000002
Bidirectional     0x00000003

trustPartner
Name of the Domain with which the Trust is Established

trustType

What type of trust has been designated for the trusted domain
1 - The trusted domain is a Microsoft Windows® domain not running Active Directory
2 - The trusted domain is a Windows domain running Active Directory
3 - The trusted domain is running a non-Windows Kerberos distribution



When a Trust is Created, A User Account with the "Trusting Domain NETBIOS Name$" Is also Created in the Users container in Active Directory

The trust accounts are named after the NETBIOS domain name of the trusting domain with a dollar sign ($) appended


You will also notice the domain object in the configuration partition. This is because the configuration and the schema partition are common between all the domains. So a "crossRef" object is created for the trusted domain in the "CN=Partitions" in configuration partition.