Active Directory trust relationships

A trust relationship consists of two domains and provides the necessary configuration between them to grant security principals on one side of the trust permission to use the resources that exist in the domain on the other. The trust is necessary because, in the world of Windows and other similar technologies, a domain does not unconditionally accept a user's credentials from other domains. Therefore, it is cumbersome or impossible to, for example, grant users from one domain the ability to print to a printer in another. The two sides of a Windows compatible trust relationship can consist of any of the following collective entities: A Windows T domain An Active !irectory domain An Active !irectory forest A "erberos realm

A number of possible combinations of these four collective entities exists# the typical combinations are named and described below: Intra-forest trusts $ created automatically between contiguously named Active !irectory domains within the same forest $created automatically between a new Active !irectory domain%tree root &a discontiguous namespace' and the forest root within a forest Shortcut trusts $ administratively created between discontiguously named Active !irectory domains within the same forest $ administratively created between Active !irectory domain%tree roots within the same forest &peer root domains' $ administratively created between contiguously named Active !irectory domains separated by an intermediary domain &grandparent domain to grandchild domain' External trusts $ administratively created between two Active !irectory domains either not in the same forest or when one or both of the domains is hosted by Windows T Cross-forest trust $ administratively created between two Active !irectory forests $ the trust must be created between the two forest root domains $ the two forests must both be hosted by Windows ())* or later domain controllers and the forest functional level must be raised to a minimum of two Realm trust $ created between a Windows domain and a "erberos realm

Other components of a trust relationship +n addition to the two halves that ma,e up a trust relationship, three additional properties of a trust must also be understood: Trust transitivity ("A" "B" "C") $ a trust relationship is considered transitive if it permits trusting domains to, in turn, trust who it trusts. -or example, if domain .A. trusts domain ./. and domain ./. trusts domain .0,. then the trusts between domains .A 1 /. and domains ./ 1 0. are deemed transitive only if domain .A. can be said to trust domain .0. without the need for a third explicit trust between .A. and .0. Trust directions ( or or ) $ a trust relationship can be expressed as uni% or bi%directional Supported authentication protocols (NTLM and/or Kerberos) $a trust relationship is capable of supporting only those authentication protocols for which it was designed $ a modern Windows trust relationship supports either T23 or both T23 and "erberos $ legacy Windows T trusts supported only T23 Enhancing the security of a trust relationship Two trust%related security enhancement technologies exist: 4+! filtering and the authentication firewall. 4+! filtering was introduced in the early days of Windows ())) while the authentication firewall is available only with Windows ())*. +n the next article, we'll delve into the specifics of 4+! filtering including its configuration, scope and some specific behavioral oddities.

Active Directory Replication

As mentioned in an earlier section, the Active !irectory database is replicated between domain controllers. The data replicated between controllers called .data. are also called "naming conte t". 5nly the changes are replicated, once a domain controller has been established. Active !irectory uses a multimaster mo!el which means changes can be made on any controller and the changes are sent to all other controllers. The replication path in Active !irectory forms a ring which adds reliability to the replication.

"o# Replication is $rac%e!

&'( % 6ach ob7ect has an 8pdate 4e9uence umber &84 ', and if the ob7ect is modified, the 84 is incremented. This number is different on each domain controller. 'tamps % 6ach ob7ect has a stamp with the version number, timestamp, and the :8+! of the domain controller where the change was made

!omain controllers each contain a "replica" which is a copy of the domain directory. The "!irectory up!ate type" indicates how the data is replicated. The two types are:

Origination up!ate % A change made by an administrator at the local domain controller. Replicate! up!ate % A change made to the replica because of a replication from a replication partner.

Replication 'e)uence
Terms:

*atency % The re9uired time for all updates to be completed throughout all comain controllers on the networ, domain or forest. Convergence % The state at which all domain controllers have the same replica contents of the Active directory database.

*oose consistency % The state at which all changes to the database are not yet replicated throughout all controllers in the database &not converged'. ;. A change is made to the Active !irectory database on a domain controller. The attribute of the ob7ect and the new 84 is written to the database. The entire ob7ect is 5T replicated. This is called an atomic operation becuase both changes are done, or neither change is done. This is an origination update. There are four types:

o o

Add % An ob7ect is added to the database. !elete % An ob7ect is deleted from the database.

3odify % An ob7ect in the database has its attributes modified. 3odify ! % An ob7ect is renamed or moved to another domain. (. The controller the change was made on &after five minutes of stability', notifies its replication partners that a change was made. +t sends a change notification to these partners, but only notifies one partner every *) seconds so it is not overwhelmed with update re9uests. 6ach controller, in turn, when it is updated, sends a change notice to its respective replication partners. *. The replication partners each send an update re9uest with a 84 to the domain controller that the change was made on. The 84 identifies the current state of the domain controller ma,ing the change. 6ach change has a uni9ue 84 . This way the domain controller that has the change ,nows the state of the domain controller re9uesting the changes and only the changes are re9uired to be sent. The time on each controller, therefore, does not need to be synchroni<ed exactly although timestamps are used to brea, ties regarding changes.
o o

0hanges are made through replication partners until all partners are replicated. At some point, replication partners will attempt to replicate partners that are already updated. This is where propagation dampening is used. +f no changes have been performed in six hours, replication procedures are performed to be sure no information has been missed. +nformation sent during an update includes:

8pdated ob7ect The :8+! and 84 of the domain server with the originating update. A local 84 of the update on the updated ob7ect.

Replication +ath
The replication path that domain controller Active !irectory replicated data travels through an enterprise is called the replication topology. Connection o,-ects are used to define the replication paths between domain controllers. Active !irectory, by default, sets up a two way ring replication path. The data can travel in both directions around the ring which provides redundancy and reliability. Two types of replication occur in the path:

Direct replication % When replication is done from a primary source of data. $ransitive replication % When replication is done from a secondhand or replicated source of data.

$he .no#le!ge Consistency Chec%er (.CC) &running on all domain controllers' generates the replication topology by specifying what domain controllers will replicate to which other domain controllers in the site. The "00 maintains a list of connections,

called a replication topology, to other domain controllers in the site. The "00 ensures that changes to any ob7ect are replicated to all site domain controllers and updates go through no more than three connections. Also an administrator can configure connection ob7ects. The "00 uses information provided by the administrator about sites and subnets to automatically build the Active !irectory replication topology.

+ropagation Dampening
Terms:

+ropagation !ampening is used to prevent unnecessary replication by preventing updates from being sent to servers that are already updated. 6ach domain controller ,eeps a list of other ,nown domain controllers and the last 84 received from each controller. Two up/to/!ate vector numbers support this: o =eplica :8+! o 8pdate 4e9uence umber &84 ' % 3entioned earlier it is incremented anytime an origination or replicated update is received. The 84 stored is from the originating server. +t is stored as meta!ata with: An attribute indicating .added. or .changed. for the ob7ect being updated. The :8+! &above'. A local 84 for the ob7ect attribute changed. The changed data.

The up/to/!ate vector numbers are incremented when replication occurs with the originating server. 6ach domain controller has its own different 84 &They may not start at the same number'. The highest 84 from each domain controller that is stored in other domain controllers is called the high #atermar% for that domain controller.

+ropagation !elay describes the amount of time re9uired for a change to be replicated to domain controllers throughout the domain. Ring $opology % The Active !irectory replication process uses a ring topology where the replication partners form a ring. This adds reliability to the process and also helps decrease propagation delay.

The information sent in an update re9uest includes the high water mar, entry for the originating server for the last change received. +f the highwater mar, received from the server that sent the update re9uest is the same as the highwatermar, for the originating server on the server receiving the re9uest, the receiving server will not send the replicated information. The usnChange! parameter is the highest 84 number for any ob7ect.

Replication +artitions
Types of Active !irectory data storage categories which are called partitions:

'chema partition % !efines rules for ob7ect creation and modification for all ob7ects in the forest. =eplicated to all domain controllers in the forest. =eplicated to all domain controllers in the forest, it is ,nown as an enterprise partition. Configuration partition % +nformation about the forest directory structure is defined including trees, domains, domain trust relationships, and sites &T0>?+> subnet group'. =eplicated to all domain controllers in the forest, it is ,nown as an enterprise partition. Domain partition % @as complete information about all domain ob7ects &5b7ects that are part of the domain including 58s, groups, users and others'. =eplicated only to domain controllers in the same domain. o >artial domain directory partition % @as a list of all ob7ects in the directory with a partial list of attributes for each ob7ect.

These partitions are all replicated between domain controllers by Active directory. !ifferent partitions may be replicated between different replication partners.

Replication Conflict
=eplication conflict occurs when changes are made to the same ob7ect and attribute before the changes can be replicated throughout all domain controller's copies of the database. Additional data &metadata' stored for each ob7ect attribute includes &not related to 84 ':

$ime stamp of the last change. Attri,ute version num,er % -or each ob7ect's attributes, this value is the same on all domain controllers.

When an Active !irectory database update is received on a domain controller, one of the following happens:

+f the update attribute version number is higher than the current version number on the controller, the new value of the attribute is stored and the version number is updated. +f the update attribute version number and stored attribute version number are the same, timestamps are used to resolve the conflict. +f the both version numbers and both timestamps are the same, the update from the controller with the highest :8+! is used.

0ile Replication 'ervice

+n Windows ())), the 4A4B52 share is used to to authenticate users. The 4A4B52 share includes group policy information which is replicated to all local domain controllers. 0ile replication service (0R') is used to replicate the 4A4B52 share. The

.Active !irectory 8sers and 0omputers. tool is used to change the file replication service schedule.

1ntrasite Replication
=eplication that happens between controllers inside one site. All of the subnets inside the site should be connected by high speed networ, wires. =eplication between two sites may need to be sent over a slower WA lin, or leased line. +ntrasite replication data is sent uncompressed. 4ite replication is done using Remote +roce!ure Call (R+C). +f a change is made, replication occurs within five minutes, and replication is done every six hours if no changes were made. !omain controllers that receive updates replicate that information to other domain controllers on their route list. All changes are therefore completed within a site within ;C minutes since there can only be three hops. The topology used here is the ring topology tal,ed about earlier and this replication is automatically set up by Active !irectory, but may be modified by an administrator.

D(' Replication
The ! 4 +> address and computer name is stored in Active !irectory for Active !irectory integrated ! 4 <ones and replicated to all local domain controllers. ! 4 information is not replicated to domain controllers outside the domain.

1ntersite Replication
+ntrasite replication is replication between sites and must be set up by an administrator.

Replication 2anagement
The administrative tool, .Active !irectory 4ites and 4ervices., is used to manage Active !irectory replication. =eplication data is compressed before being sent to minim<e bandwidth use. There are two protocols used to replicate A!:

ormally Remote +roce!ure Call (R+C) is used to replicate data and is always used for intrasite replication since it is re9uired to support the -=4. =>0 depends on 1+ &internet protocol' for transport. 'imple 2ail $ransfer +rotocol ('2$+) may be used for replication between sites.

43T> can't replicate the domain partition, however. Therefore the remote site would need to be in another domain to be able to effectively use 43T> for carrying replication data.

Bri!gehea! server % A domain controller that is used to send replication information to one or more other sites. -lexible 4ingle 3aster 5perations &-435' &discussed in an earlier section' can be transferred manually to various domain controllers. =oles and tools used to transfer are:

'chema 2aster % 8se .Active !irectory !omains and Trusts.. 3a,es changes to the database schema. Applications may remotely connect to the schema master. Domain (aming 2aster % 8se the 330 .Active !irectory 4chema 4nap%in.. Adds or removes domains to or from the forest. +rimary Domain Controller (+DC) Emulator % 8se the .Active !irectory 8sers and 0omputers. administrative tool. When Active !irectory is in mixed mode, the computer Active !irectory is on acts as a Windows T >!0. 3ixed mode occurs when Active !irectory interfaces with T D.) /!0s or ones without Windows ())) !irectory 4ervice client software. +n mixed mode, computers without Windows ())) client software must contact the >!0 emulator to change user account information. Relative 1D 2aster (R1D 2aster) % 8se the .Active !irectory 8sers and 0omputers. administrative tool. All ob7ects have a 4ecurity +dentifier &4+!' and a domain 4+!. The =+! assigns relative +!s to each domain controller. 1nfrastructure 2aster % 8se the .Active !irectory 8sers and 0omputers. administrative tool. 8pdates group membership information when users from other domains are moved or renamed.

Any master role can be transferred by using the command line program, ntdsutil.exe. When a server performing a master role fails and goes offline, you can perform .sei<ing master operations. to have another server perform that role. 5nly the ntdsutil.exe program can perform this function. 0ommands include:

connections % A connections prompt appears: o connect to server .-E! of server to connect to. o 9uit sie<e .name of role to transfer.. =ole names are: o >!0 o =+! master o schema master o domain naming master o infastructure master 6xample: .sie<e =+! master.

Replication Associate! +erformance 2onitor Counters

DRA 1n,oun! Bytes (ot Compresse! % =eplicated uncompressed bytes that are probably from a !irectory 4ervices Agent &another controller sending data' in the same site. DRA 1n,oun! Bytes Compresse! (Before Compression) % =eplicated bytes received &as though in uncompressed form'.

DRA 1n,oun! Bytes (ot Compresse! (After Compression) % =eplicated bytes received &as in compressed form'. DRA 1n,oun! Bytes $otal The sum of the !=A +nbound /ytes ot 0ompressed plus the !=A +nbound /ytes ot 0ompressed &After 0ompression'. DRA Out,oun! Bytes (ot Compresse! % =eplicated uncompressed bytes that are being sent to another domain controller in the same site.

'chema Cache
A schema cache which is a copy of the schema in memory can be used to speed up schema 9ueries but should be used sparingly due to the high memory re9uirements. +f the schema8pdate ow attribute is added to the =oot!46 a schema cache update is done immediately. ormally the schema cache is stored in memory when the system boots and updated every five minutes.

Active Directory 0'2O Roles

Windows 2000/2003 Multi-Master Model A multi%master enabled database, such as the Active !irectory, provides the flexibility of allowing changes to occur at any !0 in the enterprise, but it also

introduces the possibility of conflicts that can potentially lead to problems once the data is replicated to the rest of the enterprise. 5ne way Windows ()))?())* deals with conflicting updates is by having a conflict resolution algorithm handle discrepancies in values by resolving to the !0 to which changes were written last &that is, .the last writer wins.', while discarding the changes in all other !0s. Although this resolution method may be acceptable in some cases, there are times when conflicts are 7ust too difficult to resolve using the .last writer wins. approach. +n such cases, it is best to prevent the conflict from occurring rather than to try to resolve it after the fact. -or certain types of changes, Windows ()))?())* incorporates methods to prevent conflicting Active !irectory updates from occurring. Windows 2000/2003 Single-Master Model To prevent conflicting updates in Windows ()))?())*, the Active !irectory performs updates to certain ob7ects in a single%master fashion. +n a single%master model, only one !0 in the entire directory is allowed to process updates. This is similar to the role given to a primary domain controller &>!0' in earlier versions of Windows &such as 3icrosoft Windows T D.)', in which the >!0 is responsible for processing all updates in a given domain. +n a forest, there are five -435 roles that are assigned to one or more domain controllers. The five -435 roles are: 'chema 2aster3 The schema master domain controller controls all updates and modifications to the schema. 5nce the 4chema update is complete, it is replicated from the schema master to all other !0s in the directory. To update the schema of a forest, you must have access to the schema master. There can be only one schema master in the whole forest. Domain naming master3 The domain naming master domain controller controls the addition or removal of domains in the forest. This !0 is the only one that can add or remove a domain from the directory. +t can also add or remove cross references to domains in external directories. There can be only one domain naming master in the whole forest. 1nfrastructure 2aster3 When an ob7ect in one domain is referenced by another ob7ect in another domain, it represents the reference by the :8+!, the 4+! &for references to security principals', and the ! of the ob7ect being referenced. The infrastructure -435 role holder is

the !0 responsible for updating an ob7ect's 4+! and distinguished name in a cross% domain ob7ect reference. At any one time, there can be only one domain controller acting as the infrastructure master in each domain. ote: The +nfrastructure 3aster &+3' role should be held by a domain controller that is not a :lobal 0atalog server &:0'. +f the +nfrastructure 3aster runs on a :lobal 0atalog server it will stop updating ob7ect information because it does not contain any references to ob7ects that it does not hold. This is because a :lobal 0atalog server holds a partial replica of every ob7ect in the forest. As a result, cross%domain ob7ect references in that domain will not be updated and a warning to that effect will be logged on that !0's event log. +f all the domain controllers in a domain also host the global catalog, all the domain controllers have the current data, and it is not important which domain controller holds the infrastructure master role. Relative 1D (R1D) 2aster3 The =+! master is responsible for processing =+! pool re9uests from all domain controllers in a particular domain. When a !0 creates a security principal ob7ect such as a user or group, it attaches a uni9ue 4ecurity +! &4+!' to the ob7ect. This 4+! consists of a domain 4+! &the same for all 4+!s created in a domain', and a relative +! &=+!' that is uni9ue for each security principal 4+! created in a domain. 6ach !0 in a domain is allocated a pool of =+!s that it is allowed to assign to the security principals it creates. When a !0's allocated =+! pool falls below a threshold, that !0 issues a re9uest for additional =+!s to the domain's =+! master. The domain =+! master responds to the re9uest by retrieving =+!s from the domain's unallocated =+! pool and assigns them to the pool of the re9uesting !0. At any one time, there can be only one domain controller acting as the =+! master in the domain. +DC Emulator3 The >!0 emulator is necessary to synchroni<e time in an enterprise. Windows ()))?())* includes the W*(Time &Windows Time' time service that is re9uired by the "erberos authentication protocol. All Windows ()))?())*%based computers within an enterprise use a common time. The purpose of the time service is to ensure that the Windows Time service uses a hierarchical relationship that controls authority and does not permit loops to ensure appropriate common time usage. The >!0 emulator of a domain is authoritative for the domain. The >!0 emulator at the root of the forest becomes authoritative for the enterprise, and should be configured to gather the time from an external source. All >!0 -435 role holders follow the hierarchy of domains in the selection of their in%bound time partner. +n a Windows ()))?())* domain, the >!0 emulator role holder retains the following functions:

>assword changes performed by other !0s in the domain are replicated preferentially to the >!0 emulator. Authentication failures that occur at a given !0 in a domain because of an incorrect password are forwarded to the >!0 emulator before a bad password failure message is reported to the user. Account loc,out is processed on the >!0 emulator. 6diting or creation of :roup >olicy 5b7ects &:>5' is always done from the :>5 copy found in the >!0 6mulator's 4A4B52 share, unless configured not to do so by the administrator. The >!0 emulator performs all of the functionality that a 3icrosoft Windows T D.) 4erver%based >!0 or earlier >!0 performs for Windows T D.)%based or earlier clients.

This part of the >!0 emulator role becomes unnecessary when all wor,stations, member servers, and domain controllers that are running Windows T D.) or earlier are all upgraded to Windows ()))?())*. The >!0 emulator still performs the other functions as described in a Windows ()))?())* environment. At any one time, there can be only one domain controller acting as the >!0 emulator master in each domain in the forest.