Within the same domain, member servers can easily allocate resources to users in the domain based on user accounts in Active Directory. However, the scope of a domain is limited, some enterprises will use more than one domain, then in a multi-domain environment, how do we do the cross-domain allocation of resources? In other words, how do we allocate resources for domain A to users in domain B? Generally speaking, we have two choices, one is to use the mirror account. That is, we can create a user account that has exactly the same user name and password in domain A and B, and then assign the resource to this account in domain B, and the mirrored account in domain A can access the resources in domain B.
The mirror account method is clearly not a good choice, at least the duplication of account construction is a headache for the administrator. The main method of resource Cross-domain allocation is to create a domain trust relationship, and after a trust relationship has been created between two domains, the Cross-domain allocation of resources is very easy. Domain trust relationships are directional, and if domain A trusts B domains, then the resources of domain A can be assigned to users in Domain B, but the resources in domain B cannot be assigned to users of Domain A, and if you want to do this, you need to let B domains trust a domain.
If domain A trusts the B domain, the domain controller in domain A will copy the user account in domain B to its Active Directory so that the resources in domain A can be assigned to users in Domain B. From this process, a domain trust B domain first needs to obtain the consent of B domain, because a domain trust B domain needs first from B domain resources. This is different from our habitual understanding that the initiative of Trust is held in the hands of the trusted domain rather than the trusting domain.
Domain A trusts b domains, which means that the resources of a domain have the possibility to allocate to B domain users, but it is not inevitable! If you do not make resource allocations, users in domain B cannot get any resources! Some friends mistakenly believe that as long as there is a trust relationship between two domains, it is wrong for the trusted domain user to gain unconditional access to all resources within the trusting domain. I just work in a Hong Kong-funded enterprises in the network management work, corporate Hong Kong company is a domain, Shenzhen company is also a domain. Once we had to connect two companies ' Exchange servers to the site, which required two domains to build trust, but an old engineer was adamant about building a trust relationship. His reason is that as long as the establishment of trust relations, Hong Kong company's information is all the staff of Shenzhen company to see. This reason is very cottage, it is clear that the understanding of the domain trust relationship is somewhat rather than. I corrected his misconceptions through an experiment, and it turns out that security has not diminished since Shenzhen and Hong Kong companies have established a domain trust relationship.
In the NT4 era, the trust relationship is not transitive. That is, if domain A trusts b domains, and B domains trust C domains, then A and C domains have no relationship. If the trust relationship is transitive, then we can push the export a domain to trust the C domain. Trust relationships are less flexible than transitivity, and you can imagine how much work would be required if 70 domains were to have a full trust relationship. And this kind of sacrificing flexibility does not secure compensation, so Microsoft, when Win2000, allows the delivery of trusts within the domain tree and the domain forest, and in Win2003 allows for the transfer of trust between the domain forests.
In the next blog post we will show you how to create a trust relationship through an example, so please look forward to it.
Source: http://yuelei.blog.51cto.com/202879/175728