Direction of Trust

cashew

Lets say there are two domains that run Win2003 with a Forest Function of 2003, Domain A and Domain B. Domain A needs full access to Domain B, and Domain B needs access only to a specified server in Domain A. Is this the correct approach?

In Domain A, create an incoming trust to Domain B with Forest wide Authentication.

In Domain B, create an incoming trust to Domain A with Selective Authentication.

royal

Yep, that's correct. Keep in mind that with the selective authentication selected, you need to use something called, "Allowed to Authenticate" on the security descriptor of the objects in AD to allow user's on the other side of the trust to be able to authenticate to that resource system. You can read about that here.

Also, one more thing. Even though on one domain you have an internal trust, you still need to configure it on the other side as an external trust.

cashew

Thats what I thought, but on a practice test explanation it seems they have it backwards.

"If you use forest-wide authentication on an incoming forest trust, users from the outside forest have the same level of access to resources in the local forest as users who belong to the local forest".

If I'm creating the incoming forest trust on my domain, I should be specifying access to resources in another domain. Should this be the correct statement?

"If you use forest-wide authentication on an outgoing forest trust...."

royal

In so many places trusts is confusing as to how it is worded. As for what I posted and a more detailed description below, it is correct. I've done one-way trusts several times in the real-world so I know what I am writing is correct.

I am AdministratorA on ForestA which contains usersA. I create an outgoing trust to ForestB which means that my ForestA forest is the trusting forest and ForestB is the trusted Forest. Now the Administrator on Forest B has to create the incoming Forest in his ForestB. Since this is a one-way trust, and ForestA is trusting ForestB, ForestB users will have access to ForestA.

cashew wrote:

If I'm creating the incoming forest trust on my domain, I should be specifying access to resources in another domain. Should this be the correct statement?

And yes this is correct. Since your forest has the incoming forest, it'll be your users that have access to the other forest. That is why you'd have to specify what and what does not have access on the other forest.


So in short, just think of it this way:

Forest A (Resources)

---

> Forest B (Users)

Forest B has the incoming trust because the arrow is pointing towards Forest B. Whichever way the arrow is pointing means the users on the side of the arrow will have access to the side with no arrow. The side with the arrow = users and the side without the arrow = resources.

cashew

Got it. It sucks because it makes me question the integrity of the practice questions. There really needs to be a law that calls for mandatory jail time if an explanation on a practice test is incorrect. If this was true, Transcender would be serving 2 lifetime sentences. I can't wait to get this over with on Tuesday, considering my company is out of the scope of this exam. We have 150 users in 2 domains. The other domain is used only for our developers. This has been my favorite to study for so far. I thought I really understood GPOs until I delved into this. Wish me luck!

royal

cashew wrote:

The other domain is used only for our developers.

Why exactly are they in a different domain just for 1 specific set of users? Different account policies?

Anyways, good luck!

shamrocker98

cashew wrote:

If I'm creating the incoming forest trust on my domain, I should be specifying access to resources in another domain. Should this be the correct statement?

Something that helped me remember the direction of trusts:

Trust(ED) <

---

Trusting

The trusted forest contains the user, Ed, who needs to access the resource.

It's really simple, but it made a big difference for me.