Designing a Windows Server 2008 R2 Active Directory : Understanding the Federated Forests Design Model

1/23/2011 9:09:15 AM
A feature of Windows Server 2008 R2’s AD DS implementation is the concept of cross-forest transitive trusts. In essence, this enables you to establish transitive trusts between two forests with completely separate schemas that allow users between the forests to share information and to authenticate users.

The capability to perform cross-forest trusts and synchronization is not automatic, however, because the forest functionality of each forest must be brought up to at least Windows Server 2003 (or higher) functional levels.

The federated forest design model is ideal for two different situations. One is to unite two disparate AD DS structures in situations that arise from corporate acquisitions, mergers, and other forms of organizational restructuring. In these cases, two AD forests need to be linked to exchange information. For example, a corporate merger between two large organizations with fully populated AD DS forests could take advantage of this capability and link their two environments, as shown in Figure 1, without the need for complex domain migration tools.

Figure 1. Cross-forest trust between two completely different organizations needing to share resources.

In this example, users in both forests now can access information in each other’s forests through the two-way cross-forest trust set up between each forest’s root.

The second type of scenario in which this form of forest design could be chosen is one in which absolute security and ownership of IT structure are required by different divisions or subsidiaries within an organization, but exchange of information is also required. For example, an aeronautics organization could set up two AD forests, one for the civilian branch of its operations and one for the military branch. This would effectively segregate the two environments, giving each department complete control over its environment. A one- or two-way cross-forest trust could then be set up to exchange and synchronize information between the two forests to facilitate communication exchange.

This type of design is sometimes precipitated by a need for the complete isolation of security between different branches of an organization. Since the release of Active Directory in Windows 2000, several interdomain security vulnerabilities have been uncovered that effectively set the true security boundary at the forest level. One in particular takes advantage of the SIDHistory attribute to allow a domain administrator in a trusted domain in the forest to mimic and effectively seize the Schema Admin or Enterprise Admin roles. With these vulnerabilities in mind, some organizations might choose separate forests, and simply set up trusts between the forests that are specifically designed to strip off the SIDHistory of a user.

In Figure 2, a one-way cross-forest transitive trust with SIDHistory-filtering enabled was set up between the civilian branch and the military branch of the sample aeronautics organization. In this example, this setup would allow only accounts from the military branch to be trusted in the civilian branch, in essence giving the military branch users the ability to access files in both forests. As with other types of trusts, cross-forest trusts are one-way by default. Unlike explicit trusts, however, cross-forest trusts are transitive. To set up two-way transitive trusts, you must establish two one-way trusts between the two forest roots.

Figure 2. One-way cross-forest trust.

Determining When to Choose Federated Forests

The concept of federated forests greatly enhances the abilities of AD DS forests to exchange information with other environments. In addition, organizations that were reluctant to implement AD because of the lack of a solid security boundary between domains can now take heart in the capability of the federated forest design to allow specific departments or areas to have complete control over their own forests, while allowing for the transfer of information between the domains.

Exploring a Federated Forests Real-World Design Example

To illustrate a good example of an organization that would choose a federated forest design model, let’s consider fictional ConglomerateA, which is a food distributor with multiple sites worldwide. It currently operates a Windows Server 2008 R2 AD DS implementation across its entire organization. All computers are members of the forest with a namespace of A root domain exists for, but it is not populated because all users exist in one of three subdomains: asia, europe, and na.

ConglomerateA has recently entered into a joint venture with SupplierA and wants to facilitate the sharing of information between the two companies. SupplierA also currently operates in a Windows Server 2008 R2 AD DS environment and keeps all user and computer accounts in an AD DS forest that is composed of two domains in the namespace and a separate tree with a DNS namespace of that reflects a certain function of one of its branches.

The decision was made to create a cross-forest trust between the two forests so that credentials from one forest are trusted by the other forest and information can be exchanged. The cross-forest trust was put into place between the root domains in each forest, as shown in Figure 3.

Figure 3. Cross-forest trust between root domains in each forest.

Remember, a trust does not automatically grant any permissions in other domains or forests; it simply allows for resources to be implicitly shared. Administrators from the trusting domain still need to manually grant access. In our example, administrators in both forests can decide what resources will be shared and can configure their environment as such.

  •  Designing a Windows Server 2008 R2 Active Directory : Understanding the Multiple Trees in a Single Forest Model
  •  Windows 7 : Installing and Running Your Software (part 2) - Using Older Programs with Windows 7
  •  Windows 7 : Installing and Running Your Software (part 1)
  •  Windows 7 : Software Installation - What You Need to Know
  •  Designing a Windows Server 2008 R2 Active Directory : Understanding the Multiple Domain Model
  •  Designing a Windows Server 2008 R2 Active Directory : Understanding the Single Domain Model
  •  Windows 7: Optimizing Performance (part 3) - Using ReadyBoost to Enhance Performance
  •  Windows 7: Optimizing Performance (part 2) - Fine-Tuning Virtual Memory & Data Execution Prevention
  •  Windows 7: Optimizing Performance (part 1) - Fine-Tuning Visual Effects & Application Performance
  •  Designing a Windows Server 2008 R2 Active Directory : Choosing a Domain Structure
  •  Designing a Windows Server 2008 R2 Active Directory : Understanding AD DS Domain Design
  •  Personalizing Windows 7 (part 6) - Configuring Your Monitors
  •  Personalizing Windows 7 (part 5) - Choosing Your Mouse Pointers
  •  Personalizing Windows 7 (part 4) - Choosing Your System Sounds
  •  Personalizing Windows 7 (part 3) - Choosing and Configuring Your Screensaver
  •  Outlining AD DS Changes in Windows Server 2008 R2 (part 3) - Auditing Changes Made to AD Objects
  •  Outlining AD DS Changes in Windows Server 2008 R2 (part 2) - Implementing Multiple Password Policies per Domain
  •  Outlining AD DS Changes in Windows Server 2008 R2 (part 1)
  •  Personalizing Windows 7 (part 2) - Choosing Your Desktop Background
  •  Personalizing Windows 7 (part 1) - Fine-Tuning Your Window Colors and Experience Level
    Top 10
    Pure Sensia 200D - Nice Wireless Speaker
    AOC E2343FI – It Isn’t Just Incredibly Slim
    HP Anti-glare Compaq LCD
    Philips C-Line 249C4QH - Lacking In Features And Adjustability
    Wonderful Accessories For Your Life
    Xyfi Wi-Fi And 3G Router
    All About Nexus 7 (Part 5)
    All About Nexus 7 (Part 4)
    All About Nexus 7 (Part 3)
    All About Nexus 7 (Part 2)
    Most View
    Handling User Interaction and Events in XAML
    Audioengine W3 Wireless DAC Review
    BlackBerry Java Application Development : Networking - The transport-so many possibilities
    Building Android Apps: Web Storage
    Spotlight – Money Dashboard
    Windows Server 2003 : Planning a Host Name Resolution Strategy - Designing a DNS Namespace
    Microsoft SQL Server 2005 : Report Definition and Design (part 1) - Data Sources
    Programming the Service Bus
    The Best Of Both Worlds : Lucidlogix Virtu Explained, Virtu's Hardware Considerations
    Windows Azure : Blobs - Usage Considerations
    Personalizing Windows 8 : Adjusting the Look of Windows 8
    Nzxt Phantom 410
    Visual Studio Team System 2008 : Working with Test Results (part 1) - Test as part of Team Foundation Server build
    5 Tips For Faster Editing
    Programming Microsoft SQL Server 2005: Overview of SQL CLR - Visual Studio/SQL Server Integration
    Graphic Design – The Worship Of Icons
    The State Of Smartphones
    Windows System Programming : File Pointers & Getting the File Size
    Business Intelligence in SharePoint 2010 with Business Connectivity Services : External Content Types (part 3) - Creating an External Content Type for a Related Item
    Lenovo IdeaPad Z580 - Keeps Up The Tradition