In the same domain, the member server can easily allocate resources to users in the domain based on the user accounts in Active Directory. However, the scope of a domain is limited. Some enterprises will use multiple domains. How can we allocate resources across domains in a multi-domain environment? That is to say, how should we allocate resources in Domain A to users in Domain B? Generally, we have two options: use an image account. In other words, we can create a user account with identical usernames and passwords in Domain A and Domain B, and then allocate resources to this account in Domain B, the image account in region A can access resources in Region B. The image account method is obviously not a good choice. At least repeated account construction will cause a headache for administrators. The mainstream Method for cross-origin resource allocation is to create a domain trust relationship. After a trust relationship is created between two domains, it is very easy to allocate resources across domains. Domain trust relationships are oriented. If Domain A is in Domain B, resources in Domain A can be allocated to users in Domain B; however, the resources in Domain B cannot be allocated to users in Domain A. To achieve this goal, You Need To Enable Domain B to use Domain.
If Domain A is in Domain B, the domain controller of Domain A will copy the user account of Domain B to its Active Directory, in this way, resources in Domain A can be allocated to users in Domain B. In this process, Domain A's trust in Domain B must first obtain the consent of Domain B, because Domain A's trust in Domain B needs to first obtain resources from Domain B. This is different from our habitual understanding. The initiative of a trust relationship lies in the hands of a trusted domain rather than a trusted domain.
Domain A's trust in Domain B means that the resources in Domain A may be allocated to users in Domain B, but it is not inevitable! If no resource is allocated, users in the B domain cannot obtain any resources! Some friends mistakenly think that as long as there is a trust relationship between the two domains, the users of the trusted domain will be able to obtain all resources in the trusted Domain Unconditionally. This is wrong. When I first started working, I worked as a network manager for a Hong Kong-owned enterprise. The Hong Kong company is a domain, and the Shenzhen Company is also a domain. Once, we needed to connect the Exchange servers of the two companies to the site. This operation required the two domains to Establish a trust relationship, but an old engineer refused to Establish a trust relationship. His reason is that as long as the trust relationship is established, the information of the Hong Kong company will be viewed by the employees of the Shenzhen Company. This is a good reason. It is obvious that some of the understandings of domain trust relationships are not. I corrected his incorrect concept through an experiment. It turns out that after the domain trust relationship between Shenzhen and Hong Kong is established, security has not decreased.
In the domain era of NT4, trust relationships are not passed. That is to say, if Domain A is in Domain B and Domain B is in domain C, Domain A has nothing to do with Domain C. If the trust relationship is passed, we can export Domain A that trusts domain C. The absence of trust relationships greatly reduces flexibility. You can imagine how much work is required if 70 domains need to establish a full trust relationship. In addition, this kind of sacrifice of flexibility has not been compensated for security. Therefore, Microsoft allowed the transfer of trust relationships between the domain tree and the domain forest during the Win2000 release, in win2003, the trust relationship can be transferred between domain forests.
Reference: http://yuelei.blog.51cto.com/202879/175728
This article is from the "shenwei new space" blog, please be sure to keep this source http://abool.blog.51cto.com/8355508/1559661
Understanding domain and trust relationships