All4Techie: Active Directory Domain and Trust

what is domain and trust bsically and how this works: The trust allow share security information and network resources between same or dfferent domains.It can be accesed by Active Directory Forest ad Trust FOlder under Admin Tools or run domain.msc in run command.Normally when a different Domain user want to access resources of differecnt domain, it would require another user name password, but after enabling trust it will work like SSO (Single sign on). we will be doing advacned Trust Policy very soon in next update.Its require for Trust there network connectivity should be enabled between 2 root domain.
Four types of Trust available in Windows Server
External Trust: is used to create a on way or two way non-transitive trust with another domain which reside outside of forest.
Realm Trust: trust between any non-Windows Kerberos, This trust relationship allows cross-platform interoperability with security services that are based on other versions of the Kerberos V5 protocol.
Forest Trust: when creating trust between 2 forest root domain name.
Shortcut trust: when direct trusts between two domains that implicitly trust each other. Such a trust is sometimes referred to as a shortcut trust, and it can improve the speed at which resources are accessed across many different.

With 2 types of Forest level Trust:
One Way Forest Trust: When trust in allowed between 2 different root domain from one side only Means the information will flow to one side that is allowed.
Two Way Forest Trust: when trust is allowed between 2 root domain and both are allowed to share information between them. Both Root Domains can send and receive information.
Transitive and Non-transitive Trusts: When configuring trusts, you’ll need to consider two main characteristics: transitivity and direction. Easy and direct concept to understand transitive relationships is like If Domain A trusts Domain B and Domain B trusts Domain C, then Domain A implicitly trusts Domain C. Trusts can be configured as nontransitive so that this type of behavior does not occur. In one-way relationships, the trusting domain allows resources to be shared with the trusted domain. In two-way relationships, both domains trust each other equally. Special trusts include external trusts, realm trusts, cross-forest trusts, and shortcut trusts.
NTLM Protocol (Msv1_0.dll): The NTLM authentication protocol is dependent on the Net Logon service on domain controllers for client authentication and authorization information. This protocol authenticates clients that do not use Kerberos authentication. NTLM uses trusts to pass authentication requests between domains.
Kerberos Protocol (Kerberos.dll): The Kerberos V5 authentication protocol is dependent on the Net Logon service on domain controllers for client authentication and authorization information. The Kerberos protocol connects to an online Key Distribution Center (KDC) and the Active Directory account store for session tickets. The Kerberos protocol also uses trusts for cross-realm ticket-granting services (TGS) and to validate Privilege Attribute Certificates (PACs) across a secured channel. The Kerberos protocol performs
cross-realm authentication only with non-Windows-brand operating system Kerberos realms such as an MIT Kerberos realm and does not need to interact with the Net Logon service.
Net Logon (Netlogon.dll): The Net Logon service maintains a secured channel from a Windows-based computer to a domain controller. It is also used in the following trust related processes:
    Trust setup and management – Net Logon helps maintain trust passwords, gathers trust information and verifies trusts by interacting with the LSA process and the TDO. For Forest trusts, the trust information includes the Forest Trust Information (FTInfo) record, which includes the set of namespaces that a trusted forest claims to manage, annotated with a field that indicates whether each claim is actually trusted by the trusting forest.
    Authentication – Supplies user credentials over a secured channel to a domain controller and returns the domain SIDs and user rights for the user.
    Domain controller location – Helps with finding or locating domain controllers in a domain or across domains.
Pass-through validation – Credentials of users in other domains are processed by Net Logon. When a trusting domain needs to verify the identity of a user, it passes the user’s credentials through Net Logon to the trusted domain for verification.
Privilege Attribute Certificate (PAC) verification – When a server using the Kerberos protocol for authentication needs to verify the PAC in a service ticket, it sends the PAC across the secure channel to its domain controller for verification.
LSA (Lsasrv.dll):The Local Security Authority (LSA) is a protected subsystem that maintains information about all aspects of local security on a system (collectively known as localsecurity policy) and provides various services for translation between names and identifiers. The LSA security subsystem provides services in both kernel mode and user mode for validating access to objects, checking user privileges, and generating audit messages. LSA is responsible for checking the validity of all session tickets presented by services in trusted or un-trusted domains.

DNS Setting require to update:Before Proceeding with Trust Relation, its very mandatory to update the DNS with the external domain. Because In Forest all Domain will be having trust relation.here you can restrict here with DNS IP that allowed for only given IP. In the below image you can see i had enabled zone transfer enabled to any server. Before Trust its mandatory that this option should be enabled on the server which you want to trust.Here you can also restrict also to zone transfer with specific domain IP only. After enabling this option it took hardly 15 min to transfer the zone from all4techie.in to all4techi.in (Dont be confuse, In both domain only spelling is different).

In below image it can be seen that Forest is having by default 2 way trust with Child and Additional Domain Controller.

From here will start creating New Trust with Different Root Domain name.

We are enabling trust from All4techi.in to All4techie.in.

Here the wizard start, You want to enable External or Forest Trust.

Selected Two Way trust. As i want information to be pass from source and destination. Here you can select and restrict with One way incoming or one way outgoing as per your requirement. This option help when merger happen with 2 different domain name( or organization). where they want the information to be secured and restrict. As well At the time of transfer this two way trust option work to migrate users and objects.

This option enable to flow information between domain as well as child and Additional Domain also.

Here after connecting to destination will ask to authorize to proceed further.

and this given authentication verified for Forest level authentication. Her you can customize when you select the option from above screen with one way or two way with not forest level trust. You can limit the trust with in domain also.

Here is summary what i have selected before for enabling trust.

I continued with Yes, confirm the outgoing trust.

Yes, i confirm the incoming too.

Final option, as summary that trust enabled between two different root domain.

Here its confirm, that forest level trust enabled.

To verify i tried to give access to all4techie.in user to all4techi.in folder and yessss i got it. I can give access to different domain user. It will work as Single sign on for both domain users.
let us know if any query or issue in implementing this in your setup.
I just tried to create an image that explain for all type of trust. Brainstorm your thoughts and post if any query.
Dont let sleep your zeal to learn and earn.