| Domains and Trusts
Objectives |
|
1. Vital Statistics and Problem Solving
2. Domain
Models and Trusts
3. Permissions across Domains and Trusts
4. Sizing up
the SAM
5. Determining the # and Location of Domain Controllers
6. Quick
look: Greatest Domain Traffic Generators
Please take note, in the RL World, the domain
model fails above 10,000 Users.
Pass-Through Authentication - when User
account must be authenticated but the computer being used for the logon is not a
domain controller in the domain where the User account is defined; sooo, the
computer passes the logon information through a domain controller (directly or
indirectly) where the User account IS defined.
| Domain Model Vital
Stats |
|
Domain Models
There is 1 and ONLY 1 PDC per domain and 0 or
more BDC's per domain.
| |
Single |
Single
Master |
Multi-Master |
Complete
Trust |
| Centralized Account
Administration |
Yes |
Yes |
Yes |
No |
| Centralized Resource
Administration |
Yes |
No |
No |
No |
| Decentralized Resource
Administration |
No |
Yes |
Yes |
Yes |
| Decentralized Account
Administration |
No |
No |
No |
Yes |
| Support Metrics for
User Accounts |
up to 40,000
|
Fewer than 40,000
|
More than 40,000
|
unknown |
| Other |
There are no trust
relationships to manage. |
Good for grouping by logical
business unit (example: Sales, MIS, Marketing, etc.) |
Most scalable. |
Microsoft does not recommend
this method unless all other models fail. |
"Support Metrics for User
Accounts." Make the relationship connection here with the "Potential
Objects Distribution of a SAM" chart below.
Problem Solving: Domains and
Trusts
- #1 What model are you using (going to
use)?
- #2 Once you choose your model, you
know where your User Accounts are.
- (When figuring accessible resources
and the groups a User can be in, understand this: NT really only trusts one
thing: the User Account. WHERE IS THE USER ACCOUNT
LOCATED)
- #3 What trusts relationships are you
using (are you going to use)?
- #4 Now you have your model, the
trusts, and where your User Accounts are located: you now know what
resources your accounts -potentially- have access to and what group the User
is in. Note: Trusts simply set up the ability for pass through
authentication and the ability to assign permissions across
domains.
| Trusts in Domain
Models |
|
Visualizing Trusts in a Domain
Model
Single Domain Model
Single Master Domain
Model
Multiple Master Domain
Model
There is no such thing as a "two-way
trust," AKA, you cannot create "a two-way trust" with User
Manager for Domains. A "two-way trust" per say, is made up of two one
way trusts as illustrated above with the Accounts Domains and in the Complete
Trust Domain Model shown below.
T = M( M-1) + RM
- M = # of master domains in the organization
- R = # number of resource domains in the
organization
- T = # number of trust relationships
required
Complete Trust Domain
Model
T = N( N-1)
- N = # of domains in the organization
- T = # number of trust relationships
required
| Setting Up a Trust
Relationship |
|
Requirements for Setting Up a Trust'
- Administrator Account in both domains
required
- Both Domains must be free of any sessions
between them
- Both PDCs in both domains must be online to
communicate with each other
- Must have a common protocol (should set to
highest binding order for best results)
- ***Establish the Trusting relationship
first, then establish the Trusted relationship. This is not required BUT you
may have to wait 15 minutes if you do it the other way around for the trust
to take effect.
Establish a 1 way trust (example:
"Domain A trusts Domain B")
- On Domain B (Trusted Domain) User Manager for Domains >
Policies > Trust Relationships.
- Add Domain A under "Trusting Domains"
- Specify a password - important for security
- On Domain A (Trusting Domain) User Manager for Domains >
Policies > Trust Relationships
- Add Domain B under "Trusted Domains"
Both Domains must complete this procedure for
this one way trust to be established.
Establish a second 1 way trust
(example: "Domain B trusts Domain A")
- On Domain A (Trusted Domain) User Manager for Domains >
Policies > Trust Relationships
- Add Domain B under "Trusting Domains"
- On Domain B (Trusting Domain) User Manager for Domains >
Policies > Trust Relationships
- Add Domain A under "Trusted"
Both Domains must complete this procedure for
this one way trust to be established. When you have completed both
examples, you have a established a two way trust AKA two one way
trusts.
| Troubleshooting
Trusts |
|
Source: "Supporting Windows NT Server in the
Enterprise" by MS Press
| Issue |
Possible
Resolution |
| Trust relationship can't be
established |
Verify that the PDC in each
domain is running. Verify that the PDC in each domain can resolve
the other's name, using Windows Internet Naming Service (WINS) or
some other name resolution method. |
| Verifying the trust
relationship doesn't work |
The trusted domain must allow
the trusting domain before the trusting domain can attempt to
establish the trust relationship. Verify that no session exists with
the PDC. |
| Broken trust
relationship. |
If a trust relationship is
broken, trusted accounts will not be available for use anymore.
Reestablish the trust relationship. |
| Reestablishing a broken trust
fails. |
Verify that the PDC in each
domain is running. |
| Trusted accounts are not
useable. |
The trust relationship may
have been established in the wrong direction. Break the existing
relationship, and have the trusted domain allow the trusting domain,
and the trusting domain trust the trusted domain. |
| Cross-domain administration
fails. |
Verify that the trusted
domain's Domain Admins group is added to the local Administrators
group. |
| Access is denied when using
trusted accounts. |
Check to see if the same
account name exists in both domains. In a trust relationship, each
account should appear only in one domain, either the trusted domain
or the local domain, but not both. |
| A local account can use
resources in a remote domain. |
Check if the same account
name exists in both domains. In a trust relationship, each account
should appear only in one domain, either the trusted domain or the
local domain, but not both. |
Rules
- By default, no automatic permissions to
resources on the Trusting Domain are granted to Users and Global Groups
from the Trusted Domain when a trust relationship is established; however,
Users in the Trusted Domain can
access resources available to the default Global Domain Guests Group in the
Trusting Domain.
- A "Two Way Trust" is two one way
trusts.
- Trusts are non-transferable: If Domain A trusts
Domain B and Domain B trusts Domain C, Domain A DOES NOT TRUST Domain C. An
implicit trust Domain A trusts Domain C must be set up for a relationship to
exist.
- Example: when a one way trust is established
between two domains: The Administrator from the Trusting Domain (likely,
a Resource Domain) can -view and add- Users and Global Groups from the
Trusted Domain (likely, an Accounts Domain) to Global and Local Groups in
the Trusting Domain (likely, a Resource Domain). Remember: Global Groups
CANNOT go into Global Groups. Also remember, as part of your strategy,
is to assign Local Groups to each resource.
- Example Syntax: DOMAINA\Domain Users.
- NTFS Permissions: no difference. For share
permissions, it is considered "across the network" so share
permissions will be effective.
- Logon: If a User logs on to a domain that is
not his/her home domain, the User is a Domain Guest and has the rights and
permissions of the Domain Guest ONLY!
| SAM
Sizing |
|
SAM
- Directory Database, SAM MS recommended
limit = 40 MB
- Maximum # of objects =
40,000
- Each User = 1kb
- Each Group Local = .5kb + 36
bytes per member
- Each Group Global = .5kb + 12
bytes per member
- Each Computer account = .5
kb
Potential Objects
Distribution of a SAM
| User |
Computer |
Group |
Total SAM
Size |
| 2000 |
2000 |
30 |
3.12 MB |
| 25,000 |
25,000 |
200 |
38.2 MB |
| 26,000 |
26,000 |
250 |
40 MB |
| 40,000 |
0 |
0 |
40
MB |
Review
| Bytes |
Kilobytes -
Kb |
Megabytes -
Mb |
| 1,048,576
bytes |
1024 Kb |
1 Mb |
| 1024 bytes |
1 Kb |
|
Sizing Up the SAM: Rule of Thumb
estimates:
- Every 1000 Users = 1 MB
- Every 2000 Computers = 1 MB
MS recommended to
have 2.5 x amount of RAM as size of SAM. Adam recommended to have a hell
of a lot more than that! :-)
| Number and Location of
Domain Controllers |
|
Determining the Number of Domain
Controllers
- 1 PDC and 1 BDC can support 2000 user accounts
to validate user logons and provide fault tolerance
- 1 domain controller per maximum of 2000 user
accounts without fault tolerance. If you had 3000 User accounts, 2 domain
controllers would be required.
Special Consideration: Domain Controllers
when Geography Separates
- WAN Links (such as T1, 56K, or ISDN)
determine
- Domains and BDCs
- Traffic across the link
- Location of BDCs for Logon
Authentication
- At least 1 PDC and 1 BDC is recommended at each
location (regardless if there are only, say, 250 Users at that location) to
provide fault tolerance and to keep Users from crossing the WAN link for
authentication.
You want to have a WINS Server and DHCP Server
across each slow WAN link.
| See that Network
Traffic run |
|
5 greatest factors that will cause traffic on your
network (in order of most to least generated):
- Netlogon Service: Synchronization of the
SAM
- WINS Database Replication
- DHCP Server
- Browser Service
- SMS - Systems Management Server