19 July, 2012

"Trust" - A Deeper Look Inside Active Directory

This Post Focuses on Trust.... What does it takes to "Trust" Someone... :)

Here, In this Lab, We have a Parent Domain (Parent.com - Obviously) and a Child Domain (No Point for guessing... Child.com)

Lets move into the sea of Active Directory.... The ADSIEDIT Snap-In....

We will discuss the various objects related to Trust in Active Directory. Lets browse to the "Domain Partition" -> CN=System


Also known as a TDO (Trusted Domain Object), It is located at the following Location

<Domain Partition> --> CN=System --> CN=<Trusted Domain Name>

TDO consist of the following Information about a Trust:

1. trustAttributes
2. trustAuthIncoming
3. trustAuthOutgoing
4. trustDirection
5. trustPartner
6. trustPosixOffset
7. trustType

The trustAttributes attribute contains the value of a trust relationship
0x00000001 - The trust is Non-Transitive
0x00000002 - The trust is valid only for Windows 2000 (and newer) computers
0x00000008 - Forest Trust
0x00000010 - Trust is to a domain or forest that is not part of the organization
0x00000020 - Trusted domain is within the same forest
0x00000040 - External Trust

This attribute specifies authentication information for the incoming portion of a trust

This attribute specifies authentication information for the outgoing portion of a trust

Disabled          0x00000000
Inbound           0x00000001
Outbound        0x00000002
Bidirectional     0x00000003

Name of the Domain with which the Trust is Established


What type of trust has been designated for the trusted domain
1 - The trusted domain is a Microsoft Windows® domain not running Active Directory
2 - The trusted domain is a Windows domain running Active Directory
3 - The trusted domain is running a non-Windows Kerberos distribution

When a Trust is Created, A User Account with the "Trusting Domain NETBIOS Name$" Is also Created in the Users container in Active Directory

The trust accounts are named after the NETBIOS domain name of the trusting domain with a dollar sign ($) appended

You will also notice the domain object in the configuration partition. This is because the configuration and the schema partition are common between all the domains. So a "crossRef" object is created for the trusted domain in the "CN=Partitions" in configuration partition.