Windows Server Note (vi): Active directory Domain Services: domain trusts

Domain makes a security boundary, and in some cases we need to cross this boundary, then we need to use domain trusts.

For example, there are two domains,nswl.local and xuelan.local both domains, if nswl.local users of the domain need access to resources in the xuelan.local domain, or the accounts in the xualan.local domain need to be Nswl.local The account validation in the domain, you can do this by setting up trust between the two domains;

  Trust can be divided into one-way trust and two-way trust, one-way trustATrustB, whileBDo not trustAThe two-way trust isATrustB,Balso trustAat the same time, domain trusts are also transitive, such asATrustB,BTrustC, thenAalso trustCThe Trust also separates the forest trust from the external trust, and the difference is that the forest trust can be passed to all domains in the forest, while external trusts are not passed. Does setting a domain trust relationship affect security? Trust relationships do not affect security, only allow access, and still require administrator authorization for access, which is why we should avoid giving everyone on resources (Everyone ) allows permissions, because once the trust is established, everyone in the trusted domain will be able to access those resources.

The forest functional level is Windows Server 2003

Experimental architecture:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/73/E8/wKioL1YKHoHRqpxPAAD8030UOsg294.jpg "title=" capture. PNG "alt=" Wkiol1ykhohrqpxpaad8030uosg294.jpg "/>

Creating trust between two domains is very simple, the trouble is how to make two domains can be resolved to each other, there are many ways, such as creating a secondary zone, creating a reverse lookup zone, and so on, I use to create a secondary zone:

1 , in nswl.local on this domain controller, open the DNS Manager, right-click to select Properties, select the Zone Transfer dialog box, tick Allow zone transfer and select Allow only to the following servers, then select Edit and Add xuelan.local This domain controller's DNS address, and then select "OK";

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/73/E8/wKioL1YKHpyye9OYAAGWfmErbrc735.jpg "title=" 1.PNG " alt= "Wkiol1ykhpyye9oyaagwfmerbrc735.jpg"/>

2 , in xuelan.local in this domain, open DNS Manager, right-click the "Looking for area" and select "New Zone";

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/73/EB/wKiom1YKHqSwuKrYAAGJKg6EtDM302.jpg "title=" 2.PNG " alt= "Wkiom1ykhqswukryaagjkg6etdm302.jpg"/>

3 , open the Welcome to the New Zone wizard window, and select Next;

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/73/EB/wKiom1YKHq3Auqw3AAFt89hmio4571.jpg "title=" 3.PNG " alt= "Wkiom1ykhq3auqw3aaft89hmio4571.jpg"/>

4 , on the area Type page, select "Secondary area" and select "Next";

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/73/E9/wKioL1YKHsfiV5qoAAHNlYfjHmA002.jpg "title=" 4.PNG " alt= "Wkiol1ykhsfiv5qoaahnlyfjhma002.jpg"/>

5 , enter the region name (what we need here is the copy nswl.local of the DNS area, so the input here is nswl.local . ), and then select "Next";

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/73/E9/wKioL1YKHtLhciDeAAF8lsrGWHo156.jpg "title=" 5.PNG " alt= "Wkiol1ykhtlhcideaaf8lsrgwho156.jpg"/>

6 , enter the server that contains the name of the zone you entered earlier IP address and select "Add" and select "Next";

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/73/EB/wKiom1YKHtuzlRcsAAFNc5K9FEY283.jpg "title=" 6.PNG " alt= "Wkiom1ykhtuzlrcsaafnc5k9fey283.jpg"/>

7 , after the successful creation, select "Done";

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/73/E9/wKioL1YKHvDQ3cjGAAGzP9FNBos125.jpg "title=" 7.PNG " alt= "Wkiol1ykhvdq3cjgaagzp9fnbos125.jpg"/>

8 , open now DNS the manager will find one more nswl.local area;

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/73/E9/wKioL1YKHvqgVf5PAAHtWvAxiY0587.jpg "title=" 8.PNG " alt= "Wkiol1ykhvqgvf5paahtwvaxiy0587.jpg"/>

using the same method, the xuelan.local of this domain DNS The server Management opens the zone transfer and nswl.local of this domain DNS The server is added to the Allow list, and then nswl.local of this domain DNS Create a new secondary zone in server management.

after the creation is complete, you can use the nslookup "See if we can parse each other out;

If you have a problem, you can try it first:

Ipconfig /flushdns Clear the DNS Cache

ipconfig /registerdns Refresh all DHCP leases and re-register DNS names

Net Stopnetlogon Stop Netlogon

Netstart Netlogon Start Netlogon

Once you have created the secondary zone, you should create the trust below:

1 , open the Active Directory Domain and trust relationship "right-click the domain name and select" Properties ";

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/73/E9/wKioL1YKH0fCkbI5AAEZP5nTSoI249.jpg "title=" 1.PNG " alt= "Wkiol1ykh0fckbi5aaezp5ntsoi249.jpg"/>

2 , select the Trust dialog box, and select New Trust;

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/73/EB/wKiom1YKH07yzE8bAAEpoTp-UF4516.jpg "title=" 2.PNG " alt= "Wkiom1ykh07yze8baaepotp-uf4516.jpg"/>

3 , open the New Domain Trust Wizard, and select Next;

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/73/E9/wKioL1YKH2KB4iEKAAF3bAd3E3Y371.jpg "title=" 3.PNG " alt= "Wkiol1ykh2kb4iekaaf3bad3e3y371.jpg"/>

4 , enter a name to join the trusting domain, and then select Next;

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/73/EB/wKiom1YKH2ThDguXAAEmh0jBIUY298.jpg "title=" 4.PNG " alt= "Wkiom1ykh2thdguxaaemh0jbiuy298.jpg"/>

5 , select External trust in the trust type (this trust is not transitive.) ), and then select "Next";

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/73/E9/wKioL1YKH3zDW9k6AAF48sk2vKE863.jpg "title=" 5.PNG " alt= "Wkiol1ykh3zdw9k6aaf48sk2vke863.jpg"/>

6 , select bidirectional in the trust direction, and then select Next;

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/73/EB/wKiom1YKH36RijalAAFXmYtLbjs629.jpg "title=" 6.PNG " alt= "Wkiom1ykh36rijalaafxmytlbjs629.jpg"/>

7 , select "This domain and the specified domain" in the trusting party, and then select "Next";

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/73/EB/wKiom1YKH4qg8a7fAAGjAIuszqI459.jpg "title=" 7.PNG " alt= "Wkiom1ykh4qg8a7faagjaiuszqi459.jpg"/>

8 , input xuelan.local Administrator account password for the domain, and then select "Next";

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/73/E9/wKioL1YKH62Bo0kNAAEhvEKpyu8063.jpg "title=" 8.PNG " alt= "Wkiol1ykh62bo0knaaehvekpyu8063.jpg"/>

9 , select global authentication in the Outgoing Trust Authentication Level window (in general, we will always select globally authenticated), but if you have different requirements you can choose one of the following "Selective authentication", and each option has a description, which I will not say. ), and then select "Next";

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/73/EB/wKiom1YKH7HCIsuNAAHOTg2vD1k026.jpg "title=" 9.PNG " alt= "Wkiom1ykh7hcisunaahotg2vd1k026.jpg"/>

Ten , select outgoing new authentication level, generally select "Global Authentication", that is, all users, if you choose selective authentication, you need to manually select the user afterwards, then select "Next";

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/73/E9/wKioL1YKH8axbmZ5AAGsfDInpRo020.jpg "title=" 10.PNG "alt=" Wkiol1ykh8axbmz5aagsfdinpro020.jpg "/>

One , select "Next" in the "Select Trust Complete" window;

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/73/EB/wKiom1YKH8ex-k6yAAFscZVd5Kw136.jpg "title=" 11.PNG "alt=" Wkiom1ykh8ex-k6yaafsczvd5kw136.jpg "/>

A , in the "Trust Creation Complete" window, select "Next";

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/73/EB/wKiom1YKH9uhPBwCAAFtuF0fKUc733.jpg "title=" 12.PNG "alt=" Wkiom1ykh9uhpbwcaaftuf0fkuc733.jpg "/>

- , in the Confirm Outgoing Trust window, select Yes, confirm outgoing trust, and select Next;

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/73/E9/wKioL1YKH_fSupliAAEO6yRtbYQ101.jpg "title=" 13.PNG "alt=" Wkiol1ykh_fsupliaaeo6yrtbyq101.jpg "/>

- , in the Confirm Incoming Trust window, select Yes, confirm incoming trust and select Next;

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/73/EB/wKiom1YKH_eRl9tJAAD-Sfw9c3Q415.jpg "title=" 14.PNG "alt=" Wkiom1ykh_erl9tjaad-sfw9c3q415.jpg "/>

the , in the Completing the New Trust Wizard window, select Finish;

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/73/E9/wKioL1YKIAqiNgqvAAE2rN5AFKI393.jpg "title=" 15.PNG "alt=" Wkiol1ykiaqingqvaae2rn5afki393.jpg "/>

- , in the popup " Active Directory Domain Service "select" OK ";

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/73/EB/wKiom1YKIArBT7NZAAD2J7zV5jM817.jpg "title=" 16.PNG "alt=" Wkiom1ykiarbt7nzaad2j7zv5jm817.jpg "/>

- , at this point, in the Trust Properties window, you can see the attributes between the relevant fields;

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/73/E9/wKioL1YKICHgg58iAAE6GFfHS9U140.jpg "title=" 17.PNG "alt=" Wkiol1ykichgg58iaae6gffhs9u140.jpg "/>

- , you can also see trust between two domains by opening the Domain Trust Properties window to another domain.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/73/EB/wKiom1YKICPjldLiAAFMv-m5yew223.jpg "title=" 18.PNG "alt=" Wkiom1ykicpjldliaafmv-m5yew223.jpg "/>

This article is from the "Snow Orchid" blog, please be sure to keep this source http://yupeizhi.blog.51cto.com/3157367/1699099

Windows Server Note (vi): Active directory Domain Services: domain trusts