Trusting
To allow users in one domain to access resources in another, Active Directory uses trusts.[17]
Trusts inside a forest are automatically created when domains are created. The forest sets the default boundaries of trust, and implicit, transitive trust is automatic for all domains within a forest.
[edit]Terminology
- One-way trust
- One domain allows access to users on another domain, but the other domain does not allow access to users on the first domain.
- Two-way trust
- Two domains allow access to users on both domains.
- Trusting domain
- The domain that allows access to users from a trusted domain.
- Trusted domain
- The domain that is trusted; whose users have access to the trusting domain.
- Transitive trust
- A trust that can extend beyond two domains to other trusted domains in the forest.
- Intransitive trust
- A one way trust that does not extend beyond two domains.
- Explicit trust
- A trust that an admin creates. It is not transitive and is one way only.
- Cross-link trust
- An explicit trust between domains in different trees or in the same tree when a descendant/ancestor (child/parent) relationship does not exist between the two domains.
- Shortcut
- Joins two domains in different trees, transitive, one- or two-way.
- Forest
- Applies to the entire forest. Transitive, one- or two-way
- Realm
- Can be transitive or nontransitive, one- or two-way
- External
- Connect to other forests or non-AD domains. Nontransitive, one- or two-way.[18]
Windows Server 2003 introduced the forest root trust. This trust can be used to connect Windows Server 2003 forests if they are operating at the 2003 forest functional level. Authentication across this type of trust is Kerberos based (as opposed to NTLM). Forest trusts are transitive for all the domains in the trusted forests. Forest trusts, however, are not transitive at a forest level. So where domains inside two trusting forests trust each other, forests A that trusts Forest B will not automatically trust Forest C because it is trusted by forest B. In that sense forest A wil not automatically (transatively) trust forest C.[clarification needed]
[edit]Lightweight Directory Service
Active Directory Lightweight Directory Service (AD LDS), formerly known as Active Directory Application Mode (ADAM),[19] is a light-weight implementation of Active Directory. AD LDS is capable of running as a service on computers running Microsoft Windows Server. AD LDS shares the code base with Active Directory and provides the same functionality as Active Directory, including an identical API, but does not require the creation of domains or domain controllers.
Like Active Directory, AD LDS provides a Data Store for storage of directory data and a Directory Service with an LDAP Directory Service Interface. Unlike Active Directory, however, multiple AD LDS instances can be run on the same server.
No comments:
Post a Comment