Active Directory  «Prev 

Root Domain

  1. Click Domain controller for a new domain. Then click Next.
  2. Click Create a new domain tree. Click Next.
  3. Click Create a new forest of domain trees. Click Next.
  4. Specify the DNS name of the new domain. If your network requires a presence on the Internet, verify that you have a registered Internet domain name. For the sake of this simulation, type in mydomain.com.
  5. Now click Next.
  6. The NetBIOS name is used to identify the domain controller to client computers running earlier versions of Windows. Click Next.
  7. Specify locations for the Active Directory database and log files. The database stores the directory for the new domain, and the log file temporarily stores changes to the database. The default location is <systemroot>\NTDS (here F:\WINRC2\NTDS). Click Next.
  8. Specify the location for the shared system volume. The shared system volume is a folder structure on all domain controllers running Windows 2000. It stores files and group policy information replicated among domain controllers. You must specify a partition or volume that is formatted with the NTFS file system. Here, we will keep the default name, SYSVOL. Click Next.
  9. Specify whether to weaken permissions to support users who access the network through one or more remote access servers running Windows NT 4.0. Enabling this option gives the Everyone group permission to read any attribute of any user object in Active Directory. Select this option only after considering the impact that weaker permissions will have on Active Directory security. Then click Next.
  10. Here is a summary of your selections. This completes the simulation. Click the Exit button.

Establishing Trust Relationships

Within Active Directory, you will use trust relationships to allow users from one container to access resources in another container. You can set up trust relationships between domains, forests, and even non-Windows domains. In Windows NT 4.0, all trust relationships were one-way and nontransitive. A one-way trust relationship means that if you have two domains that need to trust each other, you need to set up one trust relationship going from Domain A to Domain B, and then a second trust relationship going from Domain B back to Domain A. A nontransitive trust relationship means that if you set up a trust going from Domain A to Domain B, and then another trust going from Domain B to Domain C, you do not automatically have a trust relationship between Domain A and Domain C, you will need to set up a separate trust relationship directly between Domain A and Domain C. And each of these individual trust relationships needs to be managed separately, so you can see how this can get really complicated if you have a lot of domains. If you are working in a complete trust model where all of your domains needed to trust each other, you would need to create n separate trust relationships, where n is the number of domains you are working with. For example, if you have ten domains that all need to be able to trust each other in NT 4.0, you need to set up 10 * 9 or 90 separate trust relationships.
Active Directory in Windows 2000 and Windows Server 2003 makes this a lot easier by creating two-way transitive trust relationships by default between domains that are located in the same forest. So if you have three domains within the same forest, a two-way transitive trust relationship will be created automatically so that users in any domain will be able to access resources in any other domain (as long as they have the appropriate NTFS and share permissions, obviously). This two-way transitive trust relationship gets created automatically between a parent domain and a child domain, and between the root domains of two domain trees in the same forest, you will probably see these default trust relationships referred to as parent-child and tree-root. You can also create a number of manual trust relationships within Active Directory:
External trusts are created between an Active Directory domain and an NT 4.0 domain, or between Active Directory domains in two separate forests. External trusts are nontransitive, and you can configure them to be either one-way or two-way.
  1. Realm trusts are used to set up a trust relationship between Active Directory and a non-Windows Kerberos realm, typically a UNIX MIT Kerberos realm. Realm trusts can be transitive or nontransitive, and can be oneway or two-way.
  2. Forest trusts allow you to create one-way or two-way transitive trust relationships between Active Directory forests. This type of trust relationship is only available in a pure Windows Server 2003 environment

In Windows 2000, trust relationships between forests can only be oneway and nontransitive.