Building and erecting multi-domain access using Windows Service 2003来 (i)

Experimental environment:

Xi ' an Lingyun high-tech system integration by limited companies in the day-to-day office of the use of the domain is Benet. Com (a forest); Since the engineering department has recently received a project, a domain name "project.com" (another forest) has been built. Then a shared folder in the domain lets employees of the engineering department in benet.com to talk to each other in different domains, and how to get engineering staff to exchange visits between different domains? How do I get different domains to trust each other in the network? How to complete the above requirements? What are we going to do in a step-by-step way?

Experimental purposes:

Understand the concept of trust relationships;

Understand how cross-domain access is configured;

Using AGDLP rules to experiment the exchange of external trust;

Experiment topology:

Experiment steps:

First, understand the concept of trust relationship:

First, we need to know why domains create trust relationships?

We look at an example: Xi ' an Lingyun High-tech domain name for "angeldevil.com" and Guangzhou branch of the domain name is "gz.angeldevil.com"; if the company's employees need access to resources in the branch domain, access to the resource requires the authentication of the account. A DC in a domain can only authenticate the account of this domain and cannot authenticate accounts from other domains. This is the time to establish a trust relationship between domains that trusts the domain (account domain, trusted domain) where the resource resides (the resource domain or the trusting domain).

In general, the characteristics of default trust domain relationships in a forest typically have 3 characteristics:

Auto-build: A trust relationship between domains in a forest is created automatically when a child domain or domain tree is created;

Transitive trusts: The trust relationships of domains in a forest are transitive: just like "John" trusts "Dick", "Dick" Trusts "King Two", and "John" Trusts "King two".

Bidirectional trust: Bidirectional Trust refers to two trusts in two directions between two domains: just as "John" believes "Dick", "Dick" believes "John";

Type of trust: trust in the forest, trust between forests;

The trusts in the forest are divided into root trusts and parent-child trusts; trust between the forests is automatically established, and is a two-way transitive trust relationship; Although the establishment of a trust relationship provides a prerequisite for accessing resources, it is necessary to set permissions for successful access: This requires AGDLP rules.

Root trust: The presence of two domain trees in the same forest;

Parent-Child Trust: In the same domain tree;

Trust between forests is divided into external trusts and forest trusts.

An external trust is an untrusted delivery that is created between domains in a different forest, a trust that is unique in the Windows Service 2003 forest, a trust established between Windows Service 2003 forest root domains, and two Windows service 2003 Creating a forest trust between forests provides a single or two-way transitive trust relationship between domains within any forest.

Second, the configuration of external trust;

To facilitate the configuration of our experiment, we have created a domain benet here. COM and "project.com" We just came to understand how external trusts can be created:

2.1.0 before configuring the external trust, we first configure forwarders. (Configuring forwarders is actually to allow two DNS access to each other), select DNS Properties-forwarders, and then fill in the IP address of the DNS on the end, as shown in the Windows SP1 settings;

Of course, when configuring external trusts, dual-hair must be configured to be configured on Windows R2 the same way as in SP1;