|
|
Domains are fundamental security boundaries, which by default restrict users in one domain from gaining access to objects in another domain. However, "trust" relationships can be created between domains to allow object accessibility across these secure borders.
Since administration can be delegated to domains and OUs, Windows Server 2003 establishes certain administrative defaults. The Domain Administrator group can control activities only in that domain, which means that administrative privileges do not automatically flow down to other domains. Thus, a system administrator for the root domain must be explicitly allowed rights to its child domains.
Administrative rights on another domain can be either limited or full. To be granted full rights in another domain, the user must be specifically added to that domain's Administrator group. For more limited rights, that administrator must grant permissions to certain objects or organizational units.
Remember that domains are organized into trees that share a namespace and are composed of a single domain or a root domain with child domains. All domains in the tree share Active Directory. Active Directory objects are contained on domain controllers in each individual domain.
Users gain access across domains within the tree through trust relationships. The hierarchical structure of the domain tree (extending internally to the organizational units) permits the flow of permissions to an OU. With appropriate group and OU permissions, a user in one domain can use resources or gain access to objects in another domain.
In trust relationships, user logons are honored between trusted domains. When two trees are trusted at the root domain, users in one tree can log on to domains in the other tree. However, specific access to objects is based on specific permissions associated with that user and the object's ACL. The Active Directory supports two trust relationship models:
A two-way transitive trust is automatically achieved between domains in the same tree or it can be established between root domains on different trees.
Explicit one-way trusts are created between specific domains in different forests and provide one-way, restricted permissions. As shown in Figure 5.16, the domain Sales.EntCert.com has granted logon authentication to users in Sales.unint.com; however, the relationship is not bidirectional, nor does it flow to any other domain in the tree or forest. (Note that explicit trust can also be established with the same forest to provide shortcuts between domains.)
 |
|
|
| Top |