Active Directory Domain Services ( AD DS ) act as a database used to hive away directory informations ( such as users, computing machine and other resource on a web ) and manages communicating between users and sphere. Whereas sphere accountant is a waiter or individual computing machine that controls Active Directory. There are typically more than one sphere accountants that host Active Directory. Active Directory helps decision makers to centrally pull off entree to company ‘s resources ( such as users, group and pressman ) and control users account from one location.
Chapter 1: Configure a wood or a sphere
Active Directory planning and planing are critical portion of deploying Active Directory Infrastructure in an organisation. Poor planning may take to the addition the care cost and web traffic. This is because an organisation needs to pay high cost if little rectification is required. For case, renaming a root sphere name may necessitate full Active Directory in wood to rollback wholly.
Forest topology, sphere or sphere tree topology, site topology and organisation unit topology are four basic topological constituents make up the Active Directory construction. Hence, a great trade of planning of AD substructure is done in four phases.
Make a wood program
This phase requires us to find the figure of woods is required to implement in an organisation. Multiple woods should merely make if the organisation has more than one separate group that does non swear each other and all of the groups must be managed individually. This is due to multiple wood may increase the labour cost by necessitating multiple decision makers and care cost by keeping multiple trusts, planetary catalogs and scheme.
Make a sphere field for the wood
In this phase we need to find the figure of spheres for the wood and see the feature of the sphere. Since each extra sphere may take to increase the hardware cost, hence, it is critical to be after the figure of spheres carefully. Besides, it is hard to cancel a sphere one time a sphere is created.
This phase besides required us to find the figure of sphere trees, bomber spheres every bit good as calling spheres in the hierarchy.
After find the figure of spheres that need in new wood, decision maker demand to specify the forest root sphere. The root sphere is the first sphere created in the wood. If a sphere is a critical portion of organisation ‘s operation and organisation can non afford to lose this sphere, so this bing sphere must be selected as forest root sphere. Whereas, dedicated sphere is selected as forest root sphere if this type of sphere serves entirely as the root. An extra sphere is created for this intent merely. It is recommended implementing dedicated forest root sphere because it provides better security and scalability.
Planing the Organization Unit of measurements
In this phase decision makers required to find the figure of OU required. OU planning must fulfill the demand of deputing disposal and administrating Group Policy.
Developing the site topology
In order to optimise the web traffic in organisation, we must specify the sites and find the best manner to physically group the computing machines on the web.
Furthermore, the site topology paths query and retroflex traffic expeditiously and besides assist us to find where to put sphere accountants within out construction.
Before we can put in Active Directory Domain Service for our Windows Server 2008, several consideration and requirements should be considered. Example, we need to do certain that sphere name, DNS constellation method, location of database log file and location of shared system booklet must be decided carefully. We foremost make certain we are read and to the full understand the Active Directory Installation Requirements. We will non be able to put up AD for a computing machine if we do non follow with all the needed demands as below:
Windows Server 2008 or Windows Server 2008 R2 install in our machine.
We must do certain that Domain Name Server ( DNS ) substructure is in topographic point on our web before we can make sphere or forest through AD DS. When we install AD DS, we can include DNS server installing. During the installing procedure, DNS deputation is created automatically. If DNS substructure is non in topographic point, so the option to put in DNS waiter is non available while we attempt to put in an extra sphere accountant in a sphere.
TCP/IP ( included IP reference, default gateway and subnet mask ) and DNS Server addresses must configured decently. It is possible for us to put in Active Directory on a waiter which has dynamic IP reference. Problem such as DNS enrollments may non work and functionality of Active Directory may be lost if we do non utilize dedicated IP reference.
In order to successfully put in AD, we must hold at least one NTFS formatted divider with adequate free infinite. Therefore, it is good to configure waiter with a manual and dedicated IP reference.
All the log file, database and SYSVOL booklet for AD DS must be stored in thrust that placed on a local fixed volume and is formatted with NTFS ( New Technology File System ) file system.
It is much better that all client computing machines utilizing NAT devices to link to the cyberspace. Administrators of an organisation can insulate the clients on the local web through NAT. In order to guarantee proper DNS connectivity, all client computing machines are configured to indicate to the sphere ‘s internal DNS waiter. Hence, internal DNS waiter will let clients to entree DNS addresses on the cyberspace.
Stairss to Install AD DS
Install new wood
In order to put in AD DS on Windows Server 2008 machine and configure it to move as sphere accountant, there have extra stairss need to be performed before running DCPROMO.
Before we can put in AD DS, we must log in as the local decision maker for the machine. Initially, the local decision makers watchword might be clean or it besides has possibilities that watchword might non be required. Therefore, before we start put in AD DS, we must run the undermentioned bid at bid prompt:
Net user decision maker & lt ; watchword & gt ; /passwordreq: yes
Replace & lt ; watchword & gt ; with our coveted watchword.
There have three methods to put in Active Directory Domain Service on the waiter.
Method 1: Window interface to put in a new wood:
Open Server Manager by snaping Start bill of fare, point to Administrative Tools, and take Server Manager.
Choose Add Roles link in Roles Summary.
Click Next in the Before You Begin window.
In Select Server Roles page, select the Active Directory Domain Services and so snap Next.
Read the information in the Active Directory Domain Service window and so snap Next.
Click Install on the Confirm Installation Selections page. Click Close after installing procedure is completed.
Open Server Manager once more and choose the Active Directory Domain Services nexus. Since we have non yet run the DCPROMO bid, hence there is no information linked to it.
Now, we run the Active Directory Domain Services Installation Wizard ( dcpromo.exe ) .
Click Next in the Welcome to the Active Directory Domain Services Installation Wizard window. In order to acquire extra installing, we choose the Use advanced mode installing.
Click Next in the Operating System Compatibility page.
Type the full DNS name for the forest root sphere on the Name the Forest Root Domain window, and so snap Next.
Type the NetBIOS name of the sphere or accept the default name in the Domain NetBIOS Name page. This page merely appears when Use advanced mode installing on Welcome page is selected. Then, click Next.
Choice appropriate forest functional degree on the Set Forest Functional Level window and so snap Next.
Choice appropriate sphere functional degree on the Set Domain Functional Level window and so snap Next.
DNS waiter is selected by default on the Additional Domain Controller Option window. Click Following if we wish to utilize Active Directory Integrated DNS. However, we clear the DNS waiter cheque box and so snap Next, if we have an bing DNS substructure and do non desire our sphere accountant to be DNS waiter.
A warning message box might look if the web arrangers do non hold inactive IPv4 and IPv6. It is to rede us to put inactive references for both the protocols before we can continue to following stairss. If an organisation do non hold inactive IPv6 and the web arrangers is assigned to inactive IPv4 reference, so we can disregard this message and take Yes, the computing machine will utilize a dynamically assigned IP reference ( non recommended ) .
Click Yes to make the deputation for DNS waiter manually if the ace can non make the deputation.
Browse to the volume and booklet locations to turn up the database files, log files and the SYSVOL files on the Location for Database, Log Files and SYSVOL window. Then, click Next.
Type the restore manner watchword in the Directory Services Restore Mode Administrator Password window.
We review our choice on the Summary page. If necessary, snap Back to alter choices. After we are certain that all the installing scenes are right, click Export scenes to salvage all the installing scenes to an reply file, and so snap Save. Last, click Next to put in AD DS.
We can choose the Reboot on completion to re-start the waiter automatically or we can re-start server when we are prompted to make so.
Method 2: Using Command Line to put in a new wood
We type options and parametric quantity values straight at the bid line if we want to utilize a list of unattended options and parametric quantity values to make new forest. Besides, extra unattended installing and an reply file can be used at the same bid line. Command line parametric quantities will be installed to boot to parametric quantities which are listed in reply file. Value in reply file will be overwritten by the value that we type at command-line when both answer file and bid line have different value for the same option.
Following process put in a new wood by utilizing bid line:
Type the undermentioned bid at a bid prompt and imperativeness Enter:
dcpromo /unattend / & lt ; unattendOption & gt ; : & lt ; value & gt ; / & lt ; unattendOption & gt ; : & lt ; value & gt ; aˆ¦ .
Option in Promotion Operation tabular array
Configuration direction for the option
Note: Type dcpromo / ? : Promotion at bid prompt or refers to Promotion tabular array to see
the list of unattended installing options.
Example: dcpomo /unattend /installDNS: yes /newDomain: wood
Method 3: Using reply files to put in a new wood
Before we can execute unattended installing, we must make an reply file with constellation values.
Following process is used to make an reply file and so execute unattended installing:
Open any text editor such as notepad.
Type [ DCINSTALL ] and imperativeness Enter.
Type the needed entries and its constellation value at notepad. Each line for one entry.
Salvage the reply file to the location called Dcpromo, or salvage it into web shared booklet or removable media.
Type the undermentioned bid at the bid line to execute unattended installing.
dcpromo /unattend: “ & lt ; path lead to the reply file & gt ; ”
Install a kid sphere in an bing wood
There have three methods to put in a kid sphere on the Active Directory. This is of import to maintain in head that lone member of the Enterprise Admin group have the privilege to put in a new sphere.
Procedures below are used to put in a kid sphere in the wood by utilizing Window interface.
Open Server Manager by snaping Start bill of fare, point to Administrative Tools, and take Server Manager.
Choose Add Roles link in Roles Summary.
Click Next in the Before You Begin window.
In Select Server Roles page, select the Active Directory Domain Services and so snap Next.
Read the information in the Active Directory Domain Service window and so snap Next.
Click Install on the Confirm Installation Selections page i? chink Close on the Installation Results page.
Open Server Manager once more and choose the Active Directory Domain Services nexus. Since we have non yet run the DCPROMO bid, hence there is no information linked to it.
Now, we run the Active Directory Domain Services Installation Wizard ( dcpromo.exe ) .
Click Next in the Welcome to the Active Directory Domain Services Installation Wizard window. In order to acquire extra installing, we choose the Use advanced mode installing.
Click Next in the Operating System Compatibility page.
Click Existing forest and Make a new sphere in an bing wood on the Choose a Deployment Configuration page i? chink Next.
Type the name of bing sphere where we want to put in a new sphere on Network Credential window. For Specify the history certificates to utilize to execute the installings, we can either take My current logged on certificates or take Alternate certificates. Supply the username and watchword that can be used to put in new sphere tree on the Windows Security message box and so snap Next.
Type the FQDN of the parent sphere and single-label name of the kid sphere on the Name the New Domain window i? chink Next.
Type the NetBIOS name of the sphere or accept the default name in the Domain NetBIOS Name page. Then, click Next.
Choice appropriate sphere functional degree on the Set Domain Functional Level window and so snap Next.
Select appropriate a site from list on the Select a Site window and so snap Next.
Select extra option for sphere accountant on Additional Domain Controller Options waiter window and so snap Next.
In order to enable sphere accountant to Acts of the Apostless as DNS waiter, DNS waiter option is selected by default. Whereas the Global Catalog option is non selected by default. This is due to planetary waiter that host the substructure maestro function might do job in kid sphere.
A warning message box might look if the web arrangers do non hold inactive IPv4 and IPv6. It is to rede us to put inactive references for both the protocols before we can continue to following stairss. If an organisation do non hold inactive IPv6 and the web arrangers is assigned to inactive IPv4 reference, so we can disregard this message and take Yes, the computing machine will utilize a dynamically assigned IP reference ( non recommended ) .
Stipulate a sphere accountant that can be used to retroflex constellation and schema directory divider by select This specific sphere accountant or choose Any writable sphere accountant in Source Domain Controller window. This window will merely appears if the Use advanced mode installing option is selected on the Welcome page.
Browse to the volume and booklet locations to turn up the database files, log files and the SYSVOL files on the Location for Database, Log Files and SYSVOL window. Then, click Next.
Type the restore manner watchword in the Directory Services Restore Mode Administrator Password window.
We review our choice on the Summary page. If necessary, snap Back to alter choices. After we are certain that all the installing scenes are right, click Export scenes to salvage all the installing scenes to an reply file, and so snap Save. Last, click Next to put in AD DS.
Click Finish on Completing the Active Directory Domain Services Installation Wizard window.
We can choose the Reboot on completion to re-start the waiter automatically or we can re-start server when we are prompted to make so.
Install an extra sphere accountant in bing sphere
Before we can put in a new sphere accountant, we must log in as the local decision maker for the machine. Initially, the local decision makers watchword might be clean or it besides has possibilities that watchword might non be required. Therefore, before we start install extra sphere accountant, we must run the undermentioned bid at bid prompt:
Net user decision maker & lt ; watchword & gt ; /passwordreq: yes
Replace & lt ; watchword & gt ; with our coveted watchword.
Procedures below are used to put in new sphere accountant by utilizing Windows Interface:
Open Server Manager by snaping Start bill of fare, point to Administrative Tools, and take Server Manager.
Choose Add Roles link in Roles Summary.
Click Next in the Before You Begin window.
In Select Server Roles page, select the Active Directory Domain Services and so snap Next.
Read the information in the Active Directory Domain Service window and so snap Next.
Click Install on the Confirm Installation Selections page i? chink Close on the Installation Results page.
Open Server Manager once more and choose the Active Directory Domain Services nexus. Since we have non yet run the DCPROMO bid, hence there is no information linked to it.
Now, we run the Active Directory Domain Services Installation Wizard ( dcpromo.exe ) .
Click Next in the Welcome to the Active Directory Domain Services Installation Wizard window. In order to acquire extra installing, we choose the Use advanced mode installing.
Click Next in the Operating System Compatibility page.
Click Existing wood and Add a sphere accountant to an bing sphere on the Choose a Deployment Configuration page i? chink Next.
Type the name of bing sphere where we want to put in a new sphere on Network Credential window. For Specify the history certificates to utilize to execute the installings, we can either take My current logged on certificates or take Alternate certificates. Supply the username and watchword that can be used to put in new sphere tree on the Windows Security message box and so snap Next.
Choose the for the sphere accountant on the Set a Domain window and so snap Next.
Select appropriate a site from list on the Select a Site window and so snap Next.
Select extra option for sphere accountant on Additional Domain Controller Options waiter window and so snap Next.
In order to enable sphere accountant to Acts of the Apostless as DNS waiter, DNS waiter option is selected by default. Clear DNS waiter option if do non desire sphere accountant acts as DNS waiter. Global Catalog option besides selected by default. This option is to add the planetary catalog and read merely directory dividers to the sphere accountant. Whereas, Read-only sphere accountant option is non selected by default. This is to guarantee that the new sphere accountant can merely be read.
A warning message box might look if the web arrangers do non hold inactive IPv4 and IPv6. It is to rede us to put inactive references for both the protocols before we can continue to following stairss. If an organisation do non hold inactive IPv6 and the web arrangers is assigned to inactive IPv4 reference, so we can disregard this message and take Yes, the computing machine will utilize a dynamically assigned IP reference ( non recommended ) .
Stipulate a sphere accountant that can be used for reproduction to make the extra sphere accountant by choice Let the ace choose an appropriate sphere accountant or select Use this specific sphere accountant in Source Domain Controller window. This window will merely appears if the Use advanced mode installing option is selected on the Welcome page.
Browse to the volume and booklet locations to turn up the database files, log files and the SYSVOL files on the Location for Database, Log Files and SYSVOL window. Then, click Next.
Type the restore manner watchword in the Directory Services Restore Mode Administrator Password window i? chink Next.
We review our choice on the Summary page. If necessary, snap Back to alter choices. After we are certain that all the installing scenes are right, click Export scenes to salvage all the installing scenes to an reply file, and so snap Save. Last, click Next to put in AD DS.
Click Finish on Completing the Active Directory Domain Services Installation Wizard window.
We can choose the Reboot on completion to re-start the waiter automatically or we can re-start server when we are prompted to make so.
Verify an AD DS installing
After we install AD DC successfully, we need to execute several processs to verify that the full functionality can execute good. If domain accountants are running Windows Server 2008, Microsoft IT Environment Health Scanner is used to diagnostic trial the full directory.
Use the undermentioned processs to verify the installing of AD DS:
Procedure to find whether Child NTDS Setting Object is present
Click Start bill of fare, point to Administrative Tools, and unfastened Active Directory Sites and Services. Supply certificates if User Account Control duologue box is prompt out and click Continue.
Expand the site of the waiter object in the Sites container at console tree.
Expand the waiter object in the Servers container to see child objects.
Note that member in Domain Users or equivalent has privilege to execute process above.
Procedure to verify the IP reference maps with Subnet reference
Log in locally or remote to the waiter for which we want to find the IP reference.
Click View Network Connections in Server Manager i? right chink the connexion of the waiter that usage to attach to the web i? chink Properties.
Click TCP/IPv4 or TCP/IPv6 in the Connection Properties duologue box.
Calculate subnet reference by utilizing values of IP reference and subnet mask. Then click OK twice.
Click Start bill of fare, point to Administrative Tools, and unfastened Active Directory Sites and Services. Provide certificates and chink Continue if User Account Control duologue box is prompt out, and so click Continue.
Click the Subnet container in the Sites container at console tree.
Find the subnet object in the Name column. The subnet object must fit with the subnet reference for the waiter.
In Site column shows that the site which the subnet reference is associated. Contact Site decision maker or find whether the waiter object should travel to a new site if the site appeared in Site Column is non the right site.
Note that member in Domain Admins or equivalent has privilege to execute process above.
Procedure to Travel a waiter object to new site
Click Start bill of fare, point to Administrative Tools, and unfastened Active Directory Sites and Services. Supply certificates if User Account Control duologue box is prompt out and click Continue.
Expand the site of the waiter object in the Sites container at console tree.
Expand the Servers container i? right chink waiter object that want to travel i? click Move.
Click the finish site in Site Name page i? chink OK.
Expand site object that we move server into it i? expand Server containeri? verify that the waiter that we moved merely now existsi? expand waiter objecti? verify that NTDS kid puting object exists.
Note that lone member in Enterprise Admins or equivalent has privilege to execute process above.
Verify Active Directory Replication
Right chink bid prompti? chink Run as decision maker. Provide Domain Admin certificates if User Account Control duologue box is prompt out and click Continue.
Type following bid:
dcdiag /test: reproductions
Press Enter.
Open Event Viewer if the trial fails i? cheque mistakes in Directory Service logi? Troubleshoot job by utilizing the inside informations in ActiveDirectory_DomainServiece reproduction events.
Note that lone member in Domain Admins or equivalent has privilege to execute process above.
Scenarios for AD DS installing
Install new wood
Before we install AD DS to make first sphere accountant in new wood, several consideration should be considered.
First, we need to make up one’s mind forest and sphere map degree. We determine whether sphere accountant that runs Window Server 2003 or Window Server 2008 or Window Server 2008 R2 can be in the wood. Domain accountants running Window Server 2008 or Window Server 2008 R2 does non back up waiter that running Window NT Server 4.0. Besides, the first sphere accountant in wood must be configured as planetary catalog waiter and it can non be RODC.
Install a new sphere in bing wood
Before we install a new sphere Window Server 2008 or Window Server 2008 R2 in Windows 2000 Server or Window Server 2003 forest, we must running adprep /forestprep to widen the scheme.
Besides, we need to make up one’s mind domain functional degree. We determine whether sphere accountants that run Windows 2000 Server or Window Server 2003 or Window Server 2008 or Window Server 2008 R2 can be in the sphere.
Install a new sphere accountant in bing sphere
Before we install a new sphere accountant that is the first sphere accountant that running Window Server 2008 or Window Server 2008 R2 in the wood, we must running adprep /forestprep to widen the scheme on the scheme operations maestro.
We must run adprep /domainprep /gprep when the first Windows Server 2008 or Windows Server 2008 R2 sphere accountant is be aftering to put in in Window 2000 Server sphere.
We must run adprep /domainprep when the first Windows Server 2008 or Windows Server 2008 R2 sphere accountant is be aftering to put in in Window 2003 Server sphere.
Merely extra Window Server 2008 or Window Server 2008 R2 domain accountant in an bing Windows 2000 Server or Window Server 2003 sphere can be configured as RODC.
Stairss for Removing Domain Controller from a Sphere
Procedures below are used to taking Windows Server 2008 sphere accountant from a sphere by utilizing Windows Interface:
Click Start i? Click Run i? type dcpromo i? imperativeness Enter.
Click Next on the Welcome to the Active Directory Domain Services Installation Wizard window.
A message will be prompt out if the sphere accountant is planetary catalog waiter. Then click OK.
Make no choice on the Delete the Domain window i? chink Next.
Click Next in the Application Directory Partition page if we do non desire to retain the application directory dividers that stored on sphere accountant.
Whereas, If we want wish to retain the application directory divider, we remove the divider by utilizing the application that created it and so snap Refresh to review the list.
Choose the option to cancel all application directory dividers if the Confirm Deletion page shows i? click OK.
Type and confirm watchword for local decision maker on the Administrator Password window i? chink Next.
We review our choice on the Summary page. If necessary, snap Back to alter choices. After we are certain that all the installing scenes are right, click Export scenes to salvage all the installing scenes to an reply file, and so snap Save. Last, click Next to put in AD DS.
Click Finish on Completing the Active Directory Domain Services Installation Wizard window.
We can choose the Reboot on completion to re-start the waiter automatically or we can re-start server when we are prompted to make so.
Open Server Manager i? chink Remove Roles in Roles Summaryi? click Next on the Before You Begin window.
Clear the Active Directory Domain Services cheque box on Remove Server Roles windowi? click Next.
Click Remove on the Confirm Removal Selections window.
Click Close on the Removal Results window i? click Yes to re-start waiter.
Chapter 2: Configure Trust
2.1 Managing Trust
Trust is a relationship that allows users in one sphere to entree resources in other sphere, without necessitating user history on the other sphere. All trust in Windows Server 2008 forest is two manner and transitive trust. In other words, all users from both spheres can be given entree to resource in the other sphere. If one sphere trust another sphere and that sphere trust a 3rd sphere, so the first sphere has a transitive trust with the 3rd sphere.
Unlike bequest NT sphere, Windows Server 2008 sphere is automatically transitive. Kerberos version 5 and NTLM are two trust protocols for sphere accountants running Windows Server 2008. Basically, Kerberos version 5 is the default protocol for a sphere accountant. However, NTLM will be used if the machine does non back up the Kerberos version 5 protocols. The ticket allowing service that provided by Kerberos creates a distributed security web. Kerberos tickets issued by one sphere can be every bit good currency in another sphere. The Kerberos ticket is like a passport that allows the carrier to derive entree to any district that accepts it.
Active Directory Domains and Trusts service allow us to make four type of trust: cutoff trust, external trust, realm trust and forest trust. Lone member of the Domain Admins group, Enterprise Admins or equivalent are allow pull offing trust relationship. Furthermore, it is of import to observe that the default transitive trust and bipartisan trust between spheres in a wood can non be revoked. Procedure that used to verify trust merely available for external trust, shortcut trust and cutoff trusts.
Procedure to make shortcut trust by utilizing Windows interface
Click Start i? chink Administrator Tools i? select Active Directory Domains and Trusts.
Right click the sphere that we want to set up a shortcut trust i? chink Properties.
Click New Trust on Trusts check i? chink Next.
Type the DNS name of the sphere on the Trust Name window i? click Next.
In the Direction of Trust page, Then, execute either one of the followers:
To make bipartisan cutoff trust that allows users in the sphere and users in specified sphere to utilize the way to entree any resource in either sphere. Click Two-way.
To make one-way entrance cutoff trust that disable users in specified sphere to utilize this way to entree any resources in this sphere. Click One-way: entrance.
To make one-way surpassing cutoff trust that disables users in this sphere to utilize this way to entree any resources in specified sphere. Click One-way: outgoing.
Procedure to make external trust by utilizing Windows interface
Click Start i? chink Administrator Tools i? select Active Directory Domains and Trusts.
Right click the sphere that we want to set up a shortcut trust i? chink Properties.
Click New Trust on Trusts check i? chink Next.
Type the DNS name of the sphere on the Trust Name window i? click Next.
Click External trust on Trust Type window i? chink Next.
In the Direction of Trust page, Then, execute either one of the followers:
To make bipartisan external trust that allow users in the sphere and users in specified sphere usage this way to entree resources in either sphere. Click Two-way.
To make one-way incoming external trust that disable users in specified sphere to utilize this way to entree any resources in this sphere. Click One-way: entrance.
To make one-way surpassing external trust that disables users in this sphere to utilize this way to entree any resources in specified sphere. Click One-way: outgoing.
Click Both this sphere and the specified sphere on Sides of Trusts window to make both sides of an external trust at the same clip.
If each sphere belongs to same organisation, so choose Allow hallmark for all resources option on the Outgoing Trust Properties window in order to let users from specified sphere to entree all resource in this sphere.
If each sphere belongs to divide organisation, so choose Allow hallmark merely for selected resources in the local sphere option on the Outgoing Trust Properties window in order to curtail users from specified sphere to entree any resource in this sphere.
Procedure to make realm trust by utilizing Windows interface
Click Start i? chink Administrator Tools i? select Active Directory Domains and Trusts.
Right click the sphere that we want to set up a shortcut trust i? chink Properties.
Click New Trust on Trusts check i? chink Next.
Type the kingdom name of the mark kingdom on the Trust Name window i? click Next.
Click Realm trust on Trust Type window i? chink Next.
In the Transitivity of Trust window, execute either one of the followers:
Select Nontransitive to set up a relationship between sphere and specified kingdom.
Select Transitive to set up a relationship between sphere and specified kingdom and all trusted kingdoms.
In the Direction of Trust page, perform either one of the followers:
To make bipartisan kingdom trust that allows users in the sphere and users in specified kingdom to utilize the way to entree resources in either kingdom or sphere. Click Two-way.
To make one-way incoming kingdom trust that disable users in specified kingdom to utilize this way to entree any resources in this sphere. Click One-way: entrance.
To make one-way surpassing kingdom trust that disables users in this sphere to utilize this way to entree any resources in specified kingdom. Click One-way: outgoing.
Procedure to taking a trust by utilizing Windows interface
Click Start i? chink Administrator Tools i? select Active Directory Domains and Trusts.
Right click the sphere that contains trust to be removed i? chink Properties.
On Trusts check, choice trust to be removed under Spheres trusted by this sphere ( surpassing trusts ) or Domains that trust this sphere ( incoming trusts ) fieldi? click Remove.
Then, execute either one of the followers:
If No, take the trust from the local sphere merely option is selected, so it is recommended to reiterate this process for mutual sphere.
If Yes, take the trust from both the local sphere and the other sphere option is selected, so user history and watchword for the mutual sphere must be provided.
Procedure to formalize a trust by utilizing Windows interface
Click Start i? chink Administrator Tools i? select Active Directory Domains and Trusts.
Right click the sphere that contains trust to be removed i? chink Properties.
On Trusts check, choice trust to be verified under Spheres trusted by this sphere ( surpassing trusts ) or Domains that trust this sphere ( incoming trusts ) fieldi? click Properties i? chink Validate.
Then, execute either one of the followers:
If No, do non formalize the entrance trust option is selected, so it is recommended to reiterate this process for mutual sphere.
If Yes, validate the entrance trust option is selected, so user history and watchword for the mutual sphere must be provided.
Click Both this sphere and the specified sphere on Sides of Trusts window to make both sides of an external trust at the same clip.
If each sphere belongs to same organisation, so choose Allow hallmark for all resources option on the Outgoing Trust Properties window in order to let users from specified sphere to entree all resource in this sphere.
If each sphere belongs to divide organisation, so choose Allow hallmark merely for selected resources in the local sphere option on the Outgoing Trust Properties window in order to curtail users from specified sphere to entree any resource in this sphere.
2.2 Pull offing Forest Trust
2.2.1 Install forest trust
If we create a forest trust between two woods, Windows Server 2008 by default creates a transitive relationship between every sphere residing in the wood. Trusts are created merely between the forest root in one directory and the forest root of another directory. Before making a wood trust, we need to guarantee that all our sphere accountant is running Windows Server 2008. The functional degree must be set to Windows Server 2008 and we must verify that we have right DNS construction in topographic point. Lone member of the Domain Admins group, Enterprise Admins or equivalent are allow pull offing trust relationship.
Procedure to make forest trust by utilizing Windows interface:
Click Start i? chink Administrator Tools i? select Active Directory Domains and Trusts.
Right click the sphere that we want to set up a shortcut trust i? chink Properties.
Click New Trust on Trusts check i? chink Next.
Type the DNS name of the sphere on the Trust Name window i? click Next.
Click Forest trust on Trust Type window i? chink Next.
In the Direction of Trust page, perform either one of the followers:
To make bipartisan wood trust that allows users in the wood and users in specified wood to utilize the way to entree resources in either wood. Click Two-way.
To make one-way entrance forest trust that disable users in specified wood to utilize this way to entree any resources in this wood. Click One-way: entrance.
To make one-way surpassing forest trust that disables users in this wood to utilize this way to entree any resources in specified wood. Click One-way: outgoing.
Click Both this sphere and the specified sphere on Sides of Trusts window to make both sides of a forest trust at the same clip.
If each sphere belongs to same organisation, so choose Forest-wide hallmark option on the Outgoing Trust Properties window in order to let users from specified wood to entree all resource in local wood.
If each sphere belongs to divide organisation, so choice Selective hallmark option on the Outgoing Trust Properties window in order to curtail users from specified wood.
2.2.2 Change the routing position of name postfix
Name postfix routing is a manner to pull off how hallmark petition are routed across two woods. All name postfixs are routed by default when a wood trust is created. Active Directory Domain and Trusts service besides allow us to modify the routing position of name postfixs. Lone member of the Domain Admins group, Enterprise Admins or equivalent are allow modifying the routing position of name postfix.
Procedure to modify the routing position of name postfix:
Click Start i? chink Administrator Tools i? select Active Directory Domains and Trusts.
Right click the sphere that we want to set up a shortcut trust i? chink Properties.
On Trusts check, select forest trust to be managed under Domains trusted by this sphere ( surpassing trusts ) or Domains that trust this sphere ( incoming trusts ) field i? chink Properties.
On Name Suffix Routing check, choice postfix to be modify under Name postfixs in the x.x forest fieldi? chink Edit.
Choice postfix to be modified on Existing name postfixs in the x.x pagei? chink Enable or Disable.
Appendix
i? Select Active Directory Domain Service option in Select Server Roles, and so snap Next.
i? Install AD DS.
i? Since we have non yet run the DCPROMO bid, hence a message: “ This waiter is non yet running as a sphere accountant: Run Active Directory Domain Services Installation Wizard ( dcpromo.exe ) ” will expose on the window.
i? Select Create a new sphere in a new wood cheque box and click Next.
i? Select appropriate forest functional degree so click Next.
i? Select appropriate sphere functional degree so click Next.
i? choose DNS waiter if DNS is non yet installed. The first sphere accountant in wood must be configured as planetary catalog waiter, and so snap Next.
i? A warning message box might look if the web arrangers do non hold inactive IPv4 and IPv6.
i? Browse the booklet locations to turn up the database files, log files and the SYSVOL files, and so snap Next.
