Active Directory  «Prev  Next»
Lesson 4 Establish a root domain
Objective Create a Root Domain

Establish and Create a Root Domain in Active Directory

As you learned earlier, the domain is the basic unit of organization in Active Directory. Here, you can see the root domain within the larger context of Active Directory:
This is a root domain.
This is a root domain

When you install Active Directory for the first time in a network, you create the first domain controller in the forest, thus establishing the root domain [1]. The root domain contains the configuration and schema information for the forest.


How to create a Root Domain

To create a root domain, run the Dcpromo.exe file to start the Active Directory Installation Wizard. Once the wizard is launched, you will complete a series of steps to create a root domain. The following simulation guides you through this process:
  1. Click Domain controller for a new domain. Then click Next.
  2. Click Create a new domain tree. Click Next.
  3. Click Create a new forest of domain trees. Click Next.
  4. Specify the DNS name of the new domain. If your network requires a presence on the Internet, verify that you have a registered Internet domain name. For the sake of this simulation, type in mydomain.com.
  5. Now click Next.
  6. The NetBIOS name is used to identify the domain controller to client computers running earlier versions of Windows. Click Next.
  7. Specify locations for the Active Directory database and log files. The database stores the directory for the new domain, and the log file temporarily stores changes to the database. The default location is <systemroot>\NTDS (here F:\WINRC2\NTDS). Click Next.
  8. Specify the location for the shared system volume. The shared system volume is a folder structure on all domain controllers running Windows 2000. It stores files and group policy information replicated among domain controllers. You must specify a partition or volume that is formatted with the NTFS file system. Here, we will keep the default name, SYSVOL. Click Next.
  9. Specify whether to weaken permissions to support users who access the network through one or more remote access servers running Windows NT 4.0. Enabling this option gives the Everyone group permission to read any attribute of any user object in Active Directory. Select this option only after considering the impact that weaker permissions will have on Active Directory security. Then click Next.
  10. Here is a summary of your selections. This completes the simulation. Click the Exit button.

Establishing Trust Relationships

Within Active Directory, you will use trust relationships[2] to allow users from one container to access resources in another container. You can set up trust relationships between domains, forests, and even non-Windows domains. In Windows NT 4.0, all trust relationships were one-way and nontransitive. A one-way trust relationship means that if you have two domains that need to trust each other, you need to set up one trust relationship going from Domain A to Domain B, and then a second trust relationship going from Domain B back to Domain A. A nontransitive trust relationship means that if you set up a trust going from Domain A to Domain B, and then another trust going from Domain B to Domain C, you do not automatically have a trust relationship between Domain A and Domain C, you will need to set up a separate trust relationship directly between Domain A and Domain C. In addition, each of these individual trust relationships needs to be managed separately, so you can see how this can get really complicated if you have a lot of domains. If you are working in a complete trust modelwhere all of your domains need to trust each other, you would need to create n individual separate trust relationships, where n is the number of domains you are working with. For example, if you have ten domains that all need to be able to trust each other on Windows Server, you need to set up 10 * 9 or 90 separate trust relationships. Active Directory in Windows 2000 and Windows Server 2003 makes this process easier by creating two-way transitive trust relationships by default between domains that are located in the same forest. If you have three domains within the same forest, a two-way transitive trust relationship will be created automatically so that users in any domain will be able to access resources in any other domain (as long as they have the appropriate NTFS and share permissions). This two-way transitive trust relationship gets created automatically between a parent domain and a child domain, and between the root domains of two domain trees in the same forest, you will probably see these default trust relationships referred to as parent-child and tree-root. You can also create a number of manual trust relationships within Active Directory:
External trusts are created between an Active Directory domain and an NT 4.0 domain, or between Active Directory domains in two separate forests. External trusts are nontransitive, and you can configure them to be either one-way or two-way.
  1. Realm trusts are used to set up a trust relationship between Active Directory and a non-Windows Kerberos realm, typically a UNIX MIT Kerberos realm. Realm trusts can be transitive or nontransitive, and can be oneway or two-way.
  2. Forest trusts allow you to create one-way or two-way transitive trust relationships between Active Directory forests. This type of trust relationship is only available in a pure Windows Server 2003 environment

Windows Server 2019 Trust Relationships between Forests

Trust relationships between forests on Windows Server 2019 can be configured in various ways, not just limited to one-way and nontransitive.
Here's a breakdown:
Direction:
  • One-way: Trust flows in only one direction. Forest A trusts Forest B, but users in B cannot access resources in A unless a separate one-way trust is established in the opposite direction.
  • Two-way: Trust flows in both directions. Users in both forests can access resources in the other, provided appropriate permissions are granted.

Transitivity:
  • Transitive: Trust extends beyond the directly connected forests. If Forest A trusts Forest B, and Forest B trusts Forest C, then users in A can also access resources in C.
  • Non-transitive: Trust is limited to the two directly connected forests. The trust relationship doesn't extend to any other forests even if a chain of transitive trusts exists.

Therefore, you can have the following combinations for trust relationships between forests on Windows Server 2019:
  • One-way, nontransitive
  • One-way, transitive
  • Two-way, nontransitive
  • Two-way, transitive
The default trust created when establishing a forest trust between two Forests on Windows Server 2019 is a two-way, transitive trust. However, you can configure the direction and transitivity based on your specific security needs and network topology.
Here are some additional points to consider:
  • Nontransitive trusts can provide an extra layer of security by limiting the scope of trust.
  • Transitive trusts can simplify resource access across multiple forests but might introduce security risks by increasing the attack surface.
  • Carefully plan your trust relationships and configure them appropriately to maintain the desired level of security and access control.
After you finish specifying the installation information, the Active Directory Installation Wizard installs Active Directory, converts the computer to a domain controller, and adds the following three consoles[3] to the Administrative Tools menu on that computer.
These consoles will be installed with the completion of all the installation paths. Microsoft Management Console (MMC): A framework for hosting administrative tools, called consoles. A console may contain tools, folders or other containers, World Wide Web pages, and other administrative items. These items are displayed in the left pane of the console, called a console tree.

Function  
Active Directory Users and Computers Administers and publishes information in the directory
Active Directory Domains and Trusts Administers domain trusts and user principal name suffixes and changes the domain mode
Active Directory Sites and Services Administers the replication of Active Directory data, including information about domain controllers, sites, replication between sites, and replication of network services' configurations

Here is what the Administrative Tools menu should look like once you have added the consoles:

This is the Administrative menu.
This is the Administrative menu

As you pursue other installation options (such as establishing a child domain or a tree), you will find that the process for installing various parts of Active Directory with the wizard are remarkably similar to the one described above. The lessons that follow will remind you of this process and will point out what is different about them. But if you find yourself wanting a review of what the wizard will do at each and every step, return to this lesson. In this lesson, you created a root domain and a domain controller for that root domain. You will build on that skill in the next lesson by creating a domain controller in an already existing domain.

Steps required to create a Root Domain in Active Directory

The following section discusses how to create a root domain on your own. The steps in the simulation are as follows:
  1. Select the button necessary to create a new domain. Click Next.
  2. Opt to create a new domain tree. Click Next.
  3. Opt to create a new forest of domain trees. Click Next.
  4. Specify the appropriate DNS name (Type: Mydomain.com)
  5. Continue.
  6. Keep or change the NetBIOS name and continue.
  7. Type in the correct locations for the database and log files. Continue.
  8. Specify the location of the shared system volume. Continue.
  9. Determine the kind of permissions you need. Then continue.
  10. Here is a summary of your selections. This completes the simulation. Click the Exit button.

Creating Multiple Domain Trees

One common area of confusion when designing an Active Directory forest is this: you do not need to deploy two separate forests solely to support two portions of a network that require separate namespaces. Each Active Directory domain requires a contiguous namespace, which means that the naming conventions of any child domains need to look like this:
  1. company.com
  2. east.company.com
  3. mktg.east.company.com
  4. west.company.com
  5. ad.west.company.com
Each of these child domains shares a contiguous namespace with the root domain, company.com. However, you can have a separate domain tree within the same forest that does not belong to the same namespace. So you could have a second domain tree within the same forest, with domain names as follows:
  1. airplanes.com
  2. finance.airplanes.com
  3. dev.airplanes.com
  4. research.airplanes.com
  5. sst.research.airplanes.com
In this case, you have a single Active Directory forest that contains two domain trees: the company.com domain tree and the airplanes.com domain tree. Even though the two domain trees do not share a namespace, they can still belong to the same forest. This will allow them to share the same schema, Global Catalogs, and directory configuration. (The argument against multiple domain trees is that, because the two domain trees are part of the same forest, they do not have the same level of isolation that multiple forests would create.) So when you are planning your Active Directory network, be sure that you are not deploying multiple forests in a situation where multiple domain trees would be more appropriate.

[1] Root domain: The first domain created in a domain tree.
[2]trust relationship: Active Directory Trust relationship is a logical link which allows a domain to access another domain, or a forest to access another forest. Trusts which are created automatically are known as "implicit trusts" and the trusts which are created manually known as "Explicit Trusts".
[3] console: A console has one or more windows that can provide views of the console tree.

SEMrush Software4