The best free certification study guides, practice tests and forums!
Free Certification Practice Tests and Study Guides
Join Us! | Login | Help
Home | Exam Details | Free Tests | Study Guides | Glossary | Articles | Books & Training | Forums | Career & Jobs


Certifications
Microsoft
CompTIA
Cisco
CIW
LPI
Red Hat
IBM
Site Tools
Free Magazines
White Papers
Top Sites
Contributors
Site Map
FAQ

Bookmark and Share
Forum Stats
502 Bad Gateway

502 Bad Gateway

nginx
Links
TechTutorials
CertifyPro
Certnotes
A+ Tutorials

 


Windows XP Professional in Active Directory Environments

By Jason Zandri

<<  Index | Next  >>

Active Directory Logical Architecture

Forests
The Windows 2000 Active Directory forest is the collection of one or more Microsoft Windows 2000 domains that share a common schema, configuration, and global catalog. You will find all different types of clients in this setup, everything from Windows 9x systems up to and through Windows XP Professional. You may even find Windows NT3.51, NT4 and 2000 member servers in a Windows 2000 Forest as well.

[NOTES FROM THE FIELD] - What you will not find unless its been hacked to do so is a Windows XP Home edition system as a member of a domain. This is not a supported configuration. Windows XP Professional is the only version of Windows XP that allows users to join and be managed by the domain.

The domain namespace of the domain trees in the forest is not always a contiguous namespace. If there is a single tree in the forest, it will have a common domain namespace. Since there can be more than one domain tree in a forest (it is not a requirement, but it is allowed) these different domain trees will have their own individual contiguous namespaces.

All of the domains in a domain tree and all of the trees in a single forest have the connectivity benefit of the two-way, transitive trust relationship, which is the default trust relationship between Windows 2000 domains. A two-way, transitive trust, by definition, is really the combination of a transitive trust and a two-way trust. This complete trust between all domains in an Active Directory domain hierarchy helps to form the forest as a single unit via its common schema, configuration, and global catalog.

The first Windows 2000 domain installed in the forest is considered to be the forest root domain.


This image is a single Windows 2000 Forest with two domain trees. Zandri.net and Gunderville.com are both in the same forest, yet both of their domain namespaces have different name.

Trees

Domain trees within the Windows 2000 Active Directory forest are a set of Windows 2000 domains connected together via a two-way transitive trust, sharing a common schema, configuration, and global catalog.

In order to be considered a true Windows 2000 domain tree, the domains must form a contiguous hierarchical namespace with one domain being the domain root.

The first Windows 2000 domain installed in a tree is considered to be the root domain of that tree. It would only be considered the forest root domain if it was also the first domain in the forest.

[NOTES FROM THE FIELD] - In the above image we see that Zandri.net is linked "down" to Gunderville.com. This is usually designed to show that it is the forest root domain. When the domain tree Zandri.net was first installed it was installed as the root of the Zandri.net tree and the root of the Active Directory Forest. When Gunderville.com was first installed it was installed into an existing forest and as the root of its own domain tree. br>
In the above image, the Zandri.net tree has two child domains installed in its tree, Northamerica.Zandri.net and Southamerica.Zandri.net. Likewise, Gunderville.com has two child domains installed in its tree, Northamerica.Gunderville.com and Southamerica.Gunderville.com. This shows the contiguous hierarchical namespace within the domain trees.

Trust Relationships

All of the domains in a domain tree and all of the trees in a single forest have the connectivity benefit of the two-way, transitive trust relationship, which is the default trust relationship between Windows 2000 domains. A two-way, transitive trust by definition is really the combination of a transitive trust and a two-way trust. This complete trust between all domains in an Active Directory domain hierarchy helps to form the forest as a single unit via its common schema, configuration, and global catalog.

Transitive trusts are a relationship that extends from one domain to the next, to the next and so on. In the above example, Northamerica.Zandri.net indirectly trusts Southamerica.Zandri.net because the trust relationship travels from Northamerica.Zandri.net to Zandri.net to Southamerica.Zandri.net. Because Northamerica.Zandri.net to Zandri.net is a direct trust and Zandri.net to Southamerica.Zandri.net is a direct trust and all trusts in a Windows 2000 Active Directory are transitive by default, Northamerica.Zandri.net indirectly trusts Southamerica.Zandri.net.

This is also the same relationship of Northamerica.Zandri.net to Southamerica.Gunderville.com. Since they are all in the same forest and connected by a common schema, configuration, and global catalog and the fact that all Windows 2000 Active Directory are transitive by default, the following is true:

Since Northamerica.Zandri.net directly trusts Zandri.net and Zandri.net directly trusts Gunderville.com and Gunderville.com directly trusts Southamerica.Gunderville.com then Northamerica.Zandri.net indirectly trusts Southamerica.Gunderville.com.

A two-way trust can be simply looked at as two one way trusts between two domains. When Zandri.net trusts Northamerica.Zandri.net this is a one way trust. When Northamerica.Zandri.net trusts Zandri.net this is another one way trust. It is considered two way because each trust the other in the same reverse manner that they are trusted.

This would also be where Zandri.net trusts Gunderville.com and Gunderville.com trusts Zandri.net. Since these two domain trees are in the same forest, they each trust the other and all of their child domains. (two way and transitively.)

Again, all of the domains in a domain tree and all of the trees in a single forest have the connectivity benefit of the two-way, transitive trust relationships, which are the default trust relationships between Windows 2000 domains.

This IS NOT true of domains and domain trees OUTSIDE of the forest. (This is referred to as an External trust.)

For example, if Zandri.net were corroborating a project with 2000trainers.com, where users in the 2000trainers.com Windows 2000 domain needed access to resources within the Zandri.net Windows 2000 domain, the domain administrator for Zandri.net would have to manually set up a trust relationship with 2000trainers.com where Zandri.net trusted 2000trainers.com so that users in 2000trainers.com could gain access to the resources they needed. This would not give users in Zandri.net access to any resources in 2000trainers.com, as the manual setup of a one way trust does not automatically allow for the "reverse" one way trust, making 2000trainers.com trust the users of Zandri.net.


Also, the trust is in no way transitive. If there was situation where a trust was established from Zandri.net to 2000trainers.com and there was a child domain of 2000trainers.com called Forums.2000trainers.com, users of Forums.2000trainers.com do not gain access to any of the resources in Zandri.net, even though those resources might be included in the common schema, configuration, and global catalog of the 2000trainers.com Active Directory. The trust that exists is only between 2000trainers.com and Zandri.net alone and it has been set in this example only so that users in 2000trainers.com can access resources in the Zandri.net domain. If access to Zandri.net is required by users of the forums.2000trainers.com Windows 2000 domain, then another one way, external, non-transitive trust would need to be established.


External trusts can be created between different Windows 2000 forests or to a Windows NT domain (sometimes called a down-level domain) or a Kerberos version 5 realm.

You can combine two one-way trusts to create a two-way trust relationship, where 2000trainers.com trusts Zandri.net and Zandri.net trusts 2000trainers.com, however, even these are NOT TRANSITIVE, since they are from different Windows 2000 Active Directory forests.

[NOTES FROM THE FIELD] - Users of the 2000trianers domain would be able to access resources they had been give permission to in the Zandri.net domain, but this does not necessarily allow them access to the other domains in the forest such as Northamerica.Zandri.net, Southamerica.Zandri.net nor any of the Gunderville.com domain tree.

If you have any questions, comments or even constructive criticism, please feel free to drop me a note.

I want to write solid technical articles that appeal to a large range of readers and skill levels and I can only be sure of that through your feedback.

Until next time, best of luck in your studies and remember,

Of all the OXYMORONS there are, Found Missing and Clearly Misunderstood are two of my favorites.

Jason Zandri

<<  Index | Next  >>
Sponsors


BGP



ADVERTISE | PARTNERSHIPS | PRIVACY POLICY | DISCLAIMER | | CONTACT