Before
any domain design decisions can be made, it is important to have a good
grasp of AD DS’s domain structure and functionality. Some fairly major
changes have been
made in Windows Server 2008 R2 that require a reintroduction to the
domain design process. In addition, real-world experience with AD domain
design has changed some of the assumptions that were made previously.
Examining Domain Trusts
Windows Server 2008 R2’s AD
DS domains can be linked to each other through the use of a concept
known as trusts. A trust is essentially a mechanism that allows
resources in one domain to be accessible by authenticated users from
another domain. AD trusts take on many forms but typically fall into one
of the four categories described in the following sections.
Transitive Trusts
Transitive trusts are
automatic two-way trusts that exist between domains in the same forest
in AD DS. These trusts connect resources between domains in AD DS and
are different from explicit trusts in that the trusts flow through from
one domain to the other. In other words, if Domain A trusts Domain B,
and Domain B trusts Domain C, Domain A trusts Domain C. This flow
greatly simplifies the trust relationships between Windows domains
because it forgoes the need for multiple exponential trusts between each
domain.
Explicit Trusts
An explicit trust is one that
is set up manually between domains to provide for a specific path for
authentication sharing between domains. This type of trust relationship
can be one-way or two-way, depending on the needs of the environment. In
other words, all trusts in legacy Windows NT 4.0 could have been
defined as explicit trusts because they all are manually created and do
not allow permissions to flow in the same way as transitive trusts do.
The use of explicit trusts in AD DS allows designers to have more
flexibility and to be able to establish trusts with external and
down-level domains. All trusts between AD DS domains and other forest
domains that aren’t in Windows Server 2003, Windows Server 2003 R2,
Windows Server 2008, or Windows Server 2008 R2 forest functional level
are explicit trusts.
Shortcut Trusts
A shortcut trust is
essentially an explicit trust that creates a shortcut between any two
domains in a domain structure. For example, if a domain tree has
multiple subdomains that are many layers deep, a shortcut trust can
exist between two domains deep within the tree, similar to the shortcut
trust shown in Figure 1.
This relationship allows for increased connectivity between those two
domains and decreases the number of hops required for authentication
requests. Normally, those requests would have to travel up the
transitive trust tree and back down again, thus increasing overhead.
The example in Figure 1
shows how a shortcut trust could theoretically be used to reduce the
overhead involved in sharing resources between the two sales subdomains
in the companyabc.com tree.
Cross-Forest Transitive Trusts
Cross-forest
transitive trusts are essentially two-way transitive trusts that exist
between two disparate AD DS forests. Although explicit trusts between
separate AD domains in separate forests were possible in Windows 2000
Server, the cross-forest trusts in all versions of Windows Server beyond
the 2003 release allow for two-way transitive trusts to exist between
two separate forests.