+ Reply to Thread
Results 1 to 7 of 7
  1. Senior Member cashew's Avatar
    Join Date
    Feb 2007
    Location
    Atlanta
    Posts
    123

    Certifications
    CISSP, MCSE: 2003, Security+
    #1

    Default Direction of Trust

    Lets say there are two domains that run Win2003 with a Forest Function of 2003, Domain A and Domain B. Domain A needs full access to Domain B, and Domain B needs access only to a specified server in Domain A. Is this the correct approach?

    In Domain A, create an incoming trust to Domain B with Forest wide Authentication.

    In Domain B, create an incoming trust to Domain A with Selective Authentication.
    Reply With Quote Quote  

  2. SS -->
  3. New Member royal's Avatar
    Join Date
    Jul 2006
    Location
    Chicago, IL
    Posts
    3,373
    #2
    Yep, that's correct. Keep in mind that with the selective authentication selected, you need to use something called, "Allowed to Authenticate" on the security descriptor of the objects in AD to allow user's on the other side of the trust to be able to authenticate to that resource system. You can read about that here.

    Also, one more thing. Even though on one domain you have an internal trust, you still need to configure it on the other side as an external trust.
    Reply With Quote Quote  

  4. Senior Member cashew's Avatar
    Join Date
    Feb 2007
    Location
    Atlanta
    Posts
    123

    Certifications
    CISSP, MCSE: 2003, Security+
    #3
    Thats what I thought, but on a practice test explanation it seems they have it backwards.

    "If you use forest-wide authentication on an incoming forest trust, users from the outside forest have the same level of access to resources in the local forest as users who belong to the local forest".

    If I'm creating the incoming forest trust on my domain, I should be specifying access to resources in another domain. Should this be the correct statement?

    "If you use forest-wide authentication on an outgoing forest trust...."
    Reply With Quote Quote  

  5. New Member royal's Avatar
    Join Date
    Jul 2006
    Location
    Chicago, IL
    Posts
    3,373
    #4
    In so many places trusts is confusing as to how it is worded. As for what I posted and a more detailed description below, it is correct. I've done one-way trusts several times in the real-world so I know what I am writing is correct.

    I am AdministratorA on ForestA which contains usersA. I create an outgoing trust to ForestB which means that my ForestA forest is the trusting forest and ForestB is the trusted Forest. Now the Administrator on Forest B has to create the incoming Forest in his ForestB. Since this is a one-way trust, and ForestA is trusting ForestB, ForestB users will have access to ForestA.


    Quote Originally Posted by cashew
    If I'm creating the incoming forest trust on my domain, I should be specifying access to resources in another domain. Should this be the correct statement?
    And yes this is correct. Since your forest has the incoming forest, it'll be your users that have access to the other forest. That is why you'd have to specify what and what does not have access on the other forest.


    So in short, just think of it this way:

    Forest A (Resources) ---------> Forest B (Users)

    Forest B has the incoming trust because the arrow is pointing towards Forest B. Whichever way the arrow is pointing means the users on the side of the arrow will have access to the side with no arrow. The side with the arrow = users and the side without the arrow = resources.
    Reply With Quote Quote  

  6. Senior Member cashew's Avatar
    Join Date
    Feb 2007
    Location
    Atlanta
    Posts
    123

    Certifications
    CISSP, MCSE: 2003, Security+
    #5
    Got it. It sucks because it makes me question the integrity of the practice questions. There really needs to be a law that calls for mandatory jail time if an explanation on a practice test is incorrect. If this was true, Transcender would be serving 2 lifetime sentences. I can't wait to get this over with on Tuesday, considering my company is out of the scope of this exam. We have 150 users in 2 domains. The other domain is used only for our developers. This has been my favorite to study for so far. I thought I really understood GPOs until I delved into this. Wish me luck!
    Reply With Quote Quote  

  7. New Member royal's Avatar
    Join Date
    Jul 2006
    Location
    Chicago, IL
    Posts
    3,373
    #6
    Quote Originally Posted by cashew
    The other domain is used only for our developers.
    Why exactly are they in a different domain just for 1 specific set of users? Different account policies?

    Anyways, good luck!
    Reply With Quote Quote  

  8. Member
    Join Date
    Jan 2006
    Location
    Greenville, SC
    Posts
    79

    Certifications
    A+, Net+, Security+, MCP, MCSA 2003, MCSE 2003
    #7
    Quote Originally Posted by cashew

    If I'm creating the incoming forest trust on my domain, I should be specifying access to resources in another domain. Should this be the correct statement?
    Something that helped me remember the direction of trusts:

    Trust(ED) <---------- Trusting

    The trusted forest contains the user, Ed, who needs to access the resource.

    It's really simple, but it made a big difference for me.
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks