RE: [ActiveDir] Forest trusts vs trusts within forests
Thanks Dean - that was certainly a useful summary of how SA works behind the scene. I'd ask you to extend your post quota though ;-) A quick thought on the following statement: 'Allowed to authenticate should be assigned against the computer object that represents the physical computer housing the resource. It must be assigned to the user or group from the trusted domain that you wish to grant access to.' = it is also possible to use a domain local group from the _trusting_ domain, which should then contain the users (or another group) from the trusted domain to grant the Allowed to authenticate extended right on the respective computer objects in the trusting domain. This would be useful if an administrator of the trusting domain is would want to have more strict control over which user is truly granted the access to authenticate in his domain (e.g. if he doesn't also manage the trusted domain). /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Monday, January 10, 2005 5:15 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Forest trusts vs trusts within forests Simplified question is - why do we require domain (external trust) or forest (forest trust) functional level 2 when using selective authentication? - Let's begin with what selective authentication (SA) does ... when configured across a particular trust it tells the KDCs within the domain at the end of the trust to perform an additional validity check before issuing the session ticket (we normally rely solely on authorization ... SA prevents the ticket from even being issued thus it is known as the authentication firewall). The additional validity check uses the SPN (service principal name) within the ticket request and resolves it to a computer object within the domain NC (nothing new so far) and looks for an Allow for the extended right Allowed to authenticate assigned to any SID within the requesting user's PAC or access token (this is the new validity check). Allowed to authenticate should be assigned against the computer object that represents the physical computer housing the resource. It must be assigned to the user or group from the trusted domain that you wish to grant access to. If the right is allowed, the ticket is issued. If the right is denied or not listed/not applicable to the requesting user, the ticket is not issued and access will not be granted since authorization cannot proceed. It is important to note that this process is only performed against TGS requests originating in a foreign realm/domain for which the trust relationship's TDO (trusted domain object) indicates SA as opposed to forest wide authentication. Before a session ticket can be issued a requesting client must possess a TGT issued by a KDC authoritative over the server holding the target service. Upon requesting initial auth., the KDC in the trusting domain decrypts the TGS referral, validates the authenticator and, if valid, constructs a new TGT containing a near bit for bit copy of the PAC from the original ticket (PAC = privileged attribute certificate). At this juncture, a new SID is injected into the PAC dependant upon the trust's authentication type; selective or forest-wide. * If forest wide, the SID is This Organization = Well-known group = S-1-5-15 * If selective, the SID is Other Organization = Well-known group = S-1-5-1000 So how do we know whether or not to invoke this new behavior and which SID should be injected during the TGT's construction? We do that by determining where the ticket request originated. If memory serves, each ticket contains an attribute known as the transited path attribute which maintains a list of the domains/realms through which the ticket has passed to get here thereby allowing us to determine behaviors relevant to the ticket's origin. The presence of the Other Org SID within a TGT dictates that the new behavior (the extra validity check) must be used before issuing a session ticket. Since this behavior is only known to a 2003+ KDC, the need for a functional level is imposed. SA is also supported for downlevel NTLM-only clients ... they use a mechanism known as pass-through authentication in order to dynamically inject additional domain relevant SIDs ... this allows the DCs to detect the presence of the Other Org SID and perform the new validity check before returning the newly formed token (or not). Note also that since This and Other Org are SIDs (and therefore security principals), they can be assigned access to resources allowing you to permit or deny access to a any resource based on whether the request originated within a domain that is considered as part of _our_ organization or not. I've found it useful to keep the following in mind; when creating a trust between 2 domains or forests, treat the authentication type as follows - * If selective auth. is used then we're saying that we have 2 separate organizations wishing
RE: [ActiveDir] Forest trusts vs trusts within forests
Good point, my statement was intended to indicate the component requirements of the ACE as they're a little different in the context of Selective Auth. ... I didn't intend to completely refute Microsoft's long-standing AG[D]LP puke ... I mean recommendation ... LOL - I still one funny limey ;-) -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Tuesday, January 11, 2005 4:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Forest trusts vs trusts within forests Thanks Dean - that was certainly a useful summary of how SA works behind the scene. I'd ask you to extend your post quota though ;-) A quick thought on the following statement: 'Allowed to authenticate should be assigned against the computer object that represents the physical computer housing the resource. It must be assigned to the user or group from the trusted domain that you wish to grant access to.' = it is also possible to use a domain local group from the _trusting_ domain, which should then contain the users (or another group) from the trusted domain to grant the Allowed to authenticate extended right on the respective computer objects in the trusting domain. This would be useful if an administrator of the trusting domain is would want to have more strict control over which user is truly granted the access to authenticate in his domain (e.g. if he doesn't also manage the trusted domain). /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Monday, January 10, 2005 5:15 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Forest trusts vs trusts within forests Simplified question is - why do we require domain (external trust) or forest (forest trust) functional level 2 when using selective authentication? - Let's begin with what selective authentication (SA) does ... when configured across a particular trust it tells the KDCs within the domain at the end of the trust to perform an additional validity check before issuing the session ticket (we normally rely solely on authorization ... SA prevents the ticket from even being issued thus it is known as the authentication firewall). The additional validity check uses the SPN (service principal name) within the ticket request and resolves it to a computer object within the domain NC (nothing new so far) and looks for an Allow for the extended right Allowed to authenticate assigned to any SID within the requesting user's PAC or access token (this is the new validity check). Allowed to authenticate should be assigned against the computer object that represents the physical computer housing the resource. It must be assigned to the user or group from the trusted domain that you wish to grant access to. If the right is allowed, the ticket is issued. If the right is denied or not listed/not applicable to the requesting user, the ticket is not issued and access will not be granted since authorization cannot proceed. It is important to note that this process is only performed against TGS requests originating in a foreign realm/domain for which the trust relationship's TDO (trusted domain object) indicates SA as opposed to forest wide authentication. Before a session ticket can be issued a requesting client must possess a TGT issued by a KDC authoritative over the server holding the target service. Upon requesting initial auth., the KDC in the trusting domain decrypts the TGS referral, validates the authenticator and, if valid, constructs a new TGT containing a near bit for bit copy of the PAC from the original ticket (PAC = privileged attribute certificate). At this juncture, a new SID is injected into the PAC dependant upon the trust's authentication type; selective or forest-wide. * If forest wide, the SID is This Organization = Well-known group = S-1-5-15 * If selective, the SID is Other Organization = Well-known group = S-1-5-1000 So how do we know whether or not to invoke this new behavior and which SID should be injected during the TGT's construction? We do that by determining where the ticket request originated. If memory serves, each ticket contains an attribute known as the transited path attribute which maintains a list of the domains/realms through which the ticket has passed to get here thereby allowing us to determine behaviors relevant to the ticket's origin. The presence of the Other Org SID within a TGT dictates that the new behavior (the extra validity check) must be used before issuing a session ticket. Since this behavior is only known to a 2003+ KDC, the need for a functional level is imposed. SA is also supported for downlevel NTLM-only clients ... they use a mechanism known as pass-through authentication in order to dynamically inject additional domain relevant SIDs ... this allows the DCs to detect the presence of the Other Org SID
RE: [ActiveDir] Forest trusts vs trusts within forests
that may bea matter of personal preference and of the way that your DNS is currently setup. Granted - in the scenario I described, Stubs would have the benefit of being AD integrated and would thus replicate to any DC-DNS server, but if you have to combine two different DNS worldswith a non-contiguous namespace, conditional forwarding may be more straight forward. Cheers, Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Deji AkomolafeSent: Saturday, January 08, 2005 12:33 AMTo: ActiveDir@mail.activedir.org; Send - AD mailing listSubject: RE: [ActiveDir] Forest trusts vs trusts within forests No, Dean. You are all alone in your own little "stubby" world :o) Actually, I use Stubs, especially in the scenario Guido described. I wouldn't introduce CF or secondaries in that situation. Sincerely,Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP -Directory Services www.readymaids.com - we know ITwww.akomolafe.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Dean WellsSent: Fri 1/7/2005 3:21 PMTo: Send - AD mailing listSubject: RE: [ActiveDir] Forest trusts vs trusts within forests Does nobody but me like or even prefer stub zones? ;-) -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Friday, January 07, 2005 5:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Forest trusts vs trusts within forests I'd say JFK jr. answered it between the lines ;-) Happy New Year John and all! A domain in a separate forest with a trust to another forest will be less risky than a domain within the same forest - esp. under the circumstances that Dave described (such as limited physical security in the remote offices). So without going in details, with the information given I'd say two forests + trusts is a valid choice. If you require Kerberos auth. between the two domains (in the two forests), then both would need to run 2003. Otherwise it'll be a "NT4 style" external trust using NTLM auth. Naturally you'll have a little more hassle with DNS, but the second domain/forest could certainly use a child zone of the existing forest (e.g. 1st-dommain = company.com, 2nd-domain = child.company.com) and will need to setup your zone transfers or forwarding appropriately (again something which is done more easily with Win2003's conditional forwarding...) /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Friday, January 07, 2005 11:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Forest trusts vs trusts within forests Out of curiosity, did you get your question answered? The original that I read was that you wanted to know if you had two separate forests with trusts, would that create the same risks as if they were in the same forest. I *think* I read that correctly. I think John had a lot of great information in there, but I got to the thread too late which makes it harder to read and tell what was said etc. Just curious mostly. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A Sent: Friday, January 07, 2005 3:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Forest trusts vs trusts within forests Thanks John. To answer your questions: 1) the topology is hub/spoke. I would put a couple DCs for the new forest in the hub location. 2) Regarding replication, most of these sites have few to no Exchange users - those that do use OWA. So, I'm not worried losing the common GC that a single forest provides. I'll need to work with the Exchange team to see if/how any future plans impact this assessment, of course. Bandwidth is not the issue for wanting to compartmentalize replication. It's more about having a r/w copy of the internal directory at all of these sites that have no use for it. 3) The applications would by and large be at the central location. Some could live in the second forest (see #1). I'm certain that the business will want some of these users to access some apps in the internal forest, though- hence the need to trust the new forest. I'm also sure that our support people will want the new forest to trust the internal forest to make it easier to support. There's no illusion on my part that any configuration gives me a 100% security guarantee - if there was, someone would have found it an all of us in info security would have to find real jobs! Thanks again for the insights. I truly appreciate getting a sanity check. Around my company I'm the one people go to for AD expertise, so when I need to bounce things off of people it's often on this list. Happy Friday! Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Rei
RE: [ActiveDir] Forest trusts vs trusts within forests
Hello Dèjì, good thoughts, but not sure thatI agree with all you say - Ibelieve Dave's scenario could benefit from a separate forest- see some comments below. Cheers, Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Deji AkomolafeSent: Saturday, January 08, 2005 12:30 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Forest trusts vs trusts within forests Without disagreeing with any of the points you made, don't you think multi-forest deployment is an "overkill" for what he's trying to achieve? Let's look at the SOW again: The motivations for considering another forest are the following: 1) we havesome remote sites with workstations that authenticate to the domain so they can be managed with GPOs and software distribution. They have no real need to access MS resources at the main site. In some cases, there are enough of these workstations to warrant a local DC. We don't want DCs for the one and only existing domain in some of these locations, because we can't always control physical access to them. An isolatedforest (no trusts) for these would protect the internal forest in the event the new forest was compromised, compartmentalizing the damage. OK, if he does implement a separate forest, he will still NEED Trusts in order to have any relationship between these forests, so we know that the NO TRUST aspect of this requirement can't be met. So, if there is TRUST, and the UNPROTECTED (throw-away) forest is compromise, the malicious 0wn3r now has the ability to compromise the PROTECTED forest as well. I know it is harder to do, but it is a reality[Guido]I do have to disagree here, as you're making it sound as ifthere's no real benefitforseparate forestsfrom a security perspective. That's not true. It's not neccessarily the trust between one forest or the other that allows a malicious user to attack the "PROTECTED" forest. It's the fact that this user has some kind of physical access or network connectivity to the "UNPROTECTED" network, which- with or without compromise of the "UNPROTECTED" forest - allows him to attack the other forest. The trustbetween the two forests (with SID-filteringenabled, which is the case by default) doesn'treally make it easier for the attacker - especially if you'vetaken appropriate precautions in the "PROTECTED"forest to hinder enumeration of all accounts to all authenticated users (which would be even easier to restrict using Selective Auth. as available with 2003 DFL) etc. In any case, this attack won't be nearly as easy as an attack against the "PROTECTED" forest, if Dave were to add another domain to this forest and locate it's DCs in the "UNPROTECTED" locations. In general I advise, if a separate OU in your main forest is not enough isolation for your security needs, then you'll have to create a separate forest - don't even think about creating a new domain in the same forest to gain any _security_ benefits. 2) there's no need to replicate the thousands of internal user and computer accounts to the locations mentioned above - a new domain, whether it's in a new forest or not, would eliminate this unwanted replication. Someone already answered this previously, pointing to the enchanced compression and replication algorithm in 2K3. Even so, any replication "storm" will be mostly a one-time incident for the initial synch. So, we can eliminate this from the list of reasons to do a new Forest[Guido]maybe I missed it, but I didn't seeDave mention any numbers or sizes of his environment. If e.g. his current main domain/forest has 100.000 users and the remote sites have a total of 1.000 users, then it's simplya different story compared to a main domain of 5.000 users with 500 remote users... Also, I do not generally agree that there is less replication traffic in Win2k3 - naturally the replication traffic caused from group membership changes has decreased through LVR (which requires the forest to be at 2003 FFL), but for other changes such as new orchanged accounts, PW changes etc. theamount of data that's replicated between sites has actually increased slightly from 2000 to 2003. This is due to a change of the compression algorithm which has been improved in performance/speed in 2003, but which doesn't reach the same compression ratio as the slower algorithm of Win2000. This means, that although a 2003 DC will spend less CPU cycles on compressing data to replicate to remote sites, it will actually transfer more data to the remote site (if you have very slow links, you can actually change the compression algorithm back to that of Win2000). Again, the net impact really depends on the size of Dave's main forest and the ratio between the amount of changes done to group memberships vs. other changes etc. 3)some applicationsrequire access by vendors, suppliers, etc. There is some des
RE: [ActiveDir] Forest trusts vs trusts within forests
that's also my understanding Dean and that's how I've tested it that it works - but I certainly wouldn't mind the lengthy version of the explanation... I do have to say, that the statement to require FFL2 to use SA for forests trusts is somewhat of a joke though: you'll have to have both forests running at FFL2 anyways to create a forest trust in the first place ;-) /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Saturday, January 08, 2005 12:20 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Forest trusts vs trusts within forests For forest trust: must be forest functional level 2 For external trust: must be domain functional level 2 If an explanation as to why is desirable, please ask ... it's lengthy. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A Sent: Friday, January 07, 2005 5:33 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Forest trusts vs trusts within forests Al - that was basically the first question, and I did get the confirmation I was looking for. The other part was regarding the 'functional level' requirements for SA. I had read conflicting things there - the one that troubled me was this: To enable selective authentication on forest trusts, the trusting forest in which shared resources are located must have the forest functional level set to Windows Server 2003. To enable selective authentication on external trusts, the trusting domain in which shared resources are located must have the domain functional level set to Windows 2000 native. (From http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/te chref/en-us/Default.asp?url=/Resources/Documentation/windowsserv/2003/al l/techref/en-us/w2k3tr_trust_security.asp) The second sentence sounds as though the trusting domain can be at Win2K Native and still use SA on an external trust. The info I see other places (including a post from John) sounds like the trusting domain must be at least Win2K3 Domain Functional Level. I'm not still not sure which is true, as I haven't tried it in the lab yet :) My guess is that SA is not available til the trusting domain (which would have to stamp the Other Organization SID in the token) is at W2K3 DFL. Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Friday, January 07, 2005 4:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Forest trusts vs trusts within forests Out of curiosity, did you get your question answered? The original that I read was that you wanted to know if you had two separate forests with trusts, would that create the same risks as if they were in the same forest. I *think* I read that correctly. I think John had a lot of great information in there, but I got to the thread too late which makes it harder to read and tell what was said etc. Just curious mostly. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A Sent: Friday, January 07, 2005 3:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Forest trusts vs trusts within forests Thanks John. To answer your questions: 1) the topology is hub/spoke. I would put a couple DCs for the new forest in the hub location. 2) Regarding replication, most of these sites have few to no Exchange users - those that do use OWA. So, I'm not worried losing the common GC that a single forest provides. I'll need to work with the Exchange team to see if/how any future plans impact this assessment, of course. Bandwidth is not the issue for wanting to compartmentalize replication. It's more about having a r/w copy of the internal directory at all of these sites that have no use for it. 3) The applications would by and large be at the central location. Some could live in the second forest (see #1). I'm certain that the business will want some of these users to access some apps in the internal forest, though- hence the need to trust the new forest. I'm also sure that our support people will want the new forest to trust the internal forest to make it easier to support. There's no illusion on my part that any configuration gives me a 100% security guarantee - if there was, someone would have found it an all of us in info security would have to find real jobs! Thanks again for the insights. I truly appreciate getting a sanity check. Around my company I'm the one people go to for AD expertise, so when I need to bounce things off of people it's often on this list. Happy Friday! Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Reijnders Sent: Friday, January 07, 2005 10:36 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Forest trusts
RE: [ActiveDir] Forest trusts vs trusts within forests
Actually Dean, would like to hear that explanation as to why if it's not too much trouble. It often helps to make the idea stick :) As for the replication, Dave I understood the replication differences to be more for security reasons than performance etc. Something along the lines of not putting information where it wasn't absolutely needed anyway. Was I off on that? Much of the conversation has been around protecting assets should some event occur. I get the sense that there is an operational component to this and that you have a well defined process to handle events should they occur. Could just be me though. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Monday, January 10, 2005 5:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Forest trusts vs trusts within forests that's also my understanding Dean and that's how I've tested it that it works - but I certainly wouldn't mind the lengthy version of the explanation... I do have to say, that the statement to require FFL2 to use SA for forests trusts is somewhat of a joke though: you'll have to have both forests running at FFL2 anyways to create a forest trust in the first place ;-) /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Saturday, January 08, 2005 12:20 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Forest trusts vs trusts within forests For forest trust: must be forest functional level 2 For external trust: must be domain functional level 2 If an explanation as to why is desirable, please ask ... it's lengthy. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A Sent: Friday, January 07, 2005 5:33 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Forest trusts vs trusts within forests Al - that was basically the first question, and I did get the confirmation I was looking for. The other part was regarding the 'functional level' requirements for SA. I had read conflicting things there - the one that troubled me was this: To enable selective authentication on forest trusts, the trusting forest in which shared resources are located must have the forest functional level set to Windows Server 2003. To enable selective authentication on external trusts, the trusting domain in which shared resources are located must have the domain functional level set to Windows 2000 native. (From http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/te chref/en-us/Default.asp?url=/Resources/Documentation/windowsserv/2003/al l/techref/en-us/w2k3tr_trust_security.asp) The second sentence sounds as though the trusting domain can be at Win2K Native and still use SA on an external trust. The info I see other places (including a post from John) sounds like the trusting domain must be at least Win2K3 Domain Functional Level. I'm not still not sure which is true, as I haven't tried it in the lab yet :) My guess is that SA is not available til the trusting domain (which would have to stamp the Other Organization SID in the token) is at W2K3 DFL. Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Friday, January 07, 2005 4:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Forest trusts vs trusts within forests Out of curiosity, did you get your question answered? The original that I read was that you wanted to know if you had two separate forests with trusts, would that create the same risks as if they were in the same forest. I *think* I read that correctly. I think John had a lot of great information in there, but I got to the thread too late which makes it harder to read and tell what was said etc. Just curious mostly. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A Sent: Friday, January 07, 2005 3:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Forest trusts vs trusts within forests Thanks John. To answer your questions: 1) the topology is hub/spoke. I would put a couple DCs for the new forest in the hub location. 2) Regarding replication, most of these sites have few to no Exchange users - those that do use OWA. So, I'm not worried losing the common GC that a single forest provides. I'll need to work with the Exchange team to see if/how any future plans impact this assessment, of course. Bandwidth is not the issue for wanting to compartmentalize replication. It's more about having a r/w copy of the internal directory at all of these sites that have no use for it. 3) The applications would by and large be at the central location. Some could live in the second forest (see #1). I'm certain that the business will want some of these users to access some
RE: [ActiveDir] Forest trusts vs trusts within forests
Good point ... it is somewhat redundant isn't it :) -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Monday, January 10, 2005 5:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Forest trusts vs trusts within forests that's also my understanding Dean and that's how I've tested it that it works - but I certainly wouldn't mind the lengthy version of the explanation... I do have to say, that the statement to require FFL2 to use SA for forests trusts is somewhat of a joke though: you'll have to have both forests running at FFL2 anyways to create a forest trust in the first place ;-) /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Saturday, January 08, 2005 12:20 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Forest trusts vs trusts within forests For forest trust: must be forest functional level 2 For external trust: must be domain functional level 2 If an explanation as to why is desirable, please ask ... it's lengthy. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A Sent: Friday, January 07, 2005 5:33 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Forest trusts vs trusts within forests Al - that was basically the first question, and I did get the confirmation I was looking for. The other part was regarding the 'functional level' requirements for SA. I had read conflicting things there - the one that troubled me was this: To enable selective authentication on forest trusts, the trusting forest in which shared resources are located must have the forest functional level set to Windows Server 2003. To enable selective authentication on external trusts, the trusting domain in which shared resources are located must have the domain functional level set to Windows 2000 native. (From http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/te chref/en-us/Default.asp?url=/Resources/Documentation/windowsserv/2003/al l/techref/en-us/w2k3tr_trust_security.asp) The second sentence sounds as though the trusting domain can be at Win2K Native and still use SA on an external trust. The info I see other places (including a post from John) sounds like the trusting domain must be at least Win2K3 Domain Functional Level. I'm not still not sure which is true, as I haven't tried it in the lab yet :) My guess is that SA is not available til the trusting domain (which would have to stamp the Other Organization SID in the token) is at W2K3 DFL. Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Friday, January 07, 2005 4:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Forest trusts vs trusts within forests Out of curiosity, did you get your question answered? The original that I read was that you wanted to know if you had two separate forests with trusts, would that create the same risks as if they were in the same forest. I *think* I read that correctly. I think John had a lot of great information in there, but I got to the thread too late which makes it harder to read and tell what was said etc. Just curious mostly. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A Sent: Friday, January 07, 2005 3:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Forest trusts vs trusts within forests Thanks John. To answer your questions: 1) the topology is hub/spoke. I would put a couple DCs for the new forest in the hub location. 2) Regarding replication, most of these sites have few to no Exchange users - those that do use OWA. So, I'm not worried losing the common GC that a single forest provides. I'll need to work with the Exchange team to see if/how any future plans impact this assessment, of course. Bandwidth is not the issue for wanting to compartmentalize replication. It's more about having a r/w copy of the internal directory at all of these sites that have no use for it. 3) The applications would by and large be at the central location. Some could live in the second forest (see #1). I'm certain that the business will want some of these users to access some apps in the internal forest, though- hence the need to trust the new forest. I'm also sure that our support people will want the new forest to trust the internal forest to make it easier to support. There's no illusion on my part that any configuration gives me a 100% security guarantee - if there was, someone would have found it an all of us in info security would have to find real jobs! Thanks again for the insights. I truly appreciate getting a sanity check. Around my company I'm the one
RE: [ActiveDir] Forest trusts vs trusts within forests
You're correct, Al - the thought regarding replication is that there's no reason to put information from the internal domain on those DCs in the less-trusted domain. There is no need for it there in the first place, and if I don't replicate it there I have that much less to worry about if that forest should be compromised. Of course, that assumes using SA and SID filtering. Deji (and others who mentioned it), you're absolutely correct that the permissioning on the existing domain needs to improve - I'm steering things that way. However, I like defense in depth, and it seems to me that the additional forest, while not a cure-all, does make it more difficult (not impossible, just harder) for someone who 0wnz one forest to attack the other (for the reasons sited by Guido, John, and others). Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Monday, January 10, 2005 7:59 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Forest trusts vs trusts within forests Actually Dean, would like to hear that explanation as to why if it's not too much trouble. It often helps to make the idea stick :) As for the replication, Dave I understood the replication differences to be more for security reasons than performance etc. Something along the lines of not putting information where it wasn't absolutely needed anyway. Was I off on that? Much of the conversation has been around protecting assets should some event occur. I get the sense that there is an operational component to this and that you have a well defined process to handle events should they occur. Could just be me though. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Monday, January 10, 2005 5:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Forest trusts vs trusts within forests that's also my understanding Dean and that's how I've tested it that it works - but I certainly wouldn't mind the lengthy version of the explanation... I do have to say, that the statement to require FFL2 to use SA for forests trusts is somewhat of a joke though: you'll have to have both forests running at FFL2 anyways to create a forest trust in the first place ;-) /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Saturday, January 08, 2005 12:20 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Forest trusts vs trusts within forests For forest trust: must be forest functional level 2 For external trust: must be domain functional level 2 If an explanation as to why is desirable, please ask ... it's lengthy. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A Sent: Friday, January 07, 2005 5:33 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Forest trusts vs trusts within forests Al - that was basically the first question, and I did get the confirmation I was looking for. The other part was regarding the 'functional level' requirements for SA. I had read conflicting things there - the one that troubled me was this: To enable selective authentication on forest trusts, the trusting forest in which shared resources are located must have the forest functional level set to Windows Server 2003. To enable selective authentication on external trusts, the trusting domain in which shared resources are located must have the domain functional level set to Windows 2000 native. (From http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/te chref/en-us/Default.asp?url=/Resources/Documentation/windowsserv/2003/al l/techref/en-us/w2k3tr_trust_security.asp) The second sentence sounds as though the trusting domain can be at Win2K Native and still use SA on an external trust. The info I see other places (including a post from John) sounds like the trusting domain must be at least Win2K3 Domain Functional Level. I'm not still not sure which is true, as I haven't tried it in the lab yet :) My guess is that SA is not available til the trusting domain (which would have to stamp the Other Organization SID in the token) is at W2K3 DFL. Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Friday, January 07, 2005 4:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Forest trusts vs trusts within forests Out of curiosity, did you get your question answered? The original that I read was that you wanted to know if you had two separate forests with trusts, would that create the same risks as if they were in the same forest. I *think* I read that correctly. I think John had a lot of great information in there, but I got to the thread too late which makes it harder to read and tell what was said etc. Just curious
RE: [ActiveDir] Forest trusts vs trusts within forests
Simplified question is - why do we require domain (external trust) or forest (forest trust) functional level 2 when using selective authentication? - Let's begin with what selective authentication (SA) does ... when configured across a particular trust it tells the KDCs within the domain at the end of the trust to perform an additional validity check before issuing the session ticket (we normally rely solely on authorization ... SA prevents the ticket from even being issued thus it is known as the authentication firewall). The additional validity check uses the SPN (service principal name) within the ticket request and resolves it to a computer object within the domain NC (nothing new so far) and looks for an Allow for the extended right Allowed to authenticate assigned to any SID within the requesting user's PAC or access token (this is the new validity check). Allowed to authenticate should be assigned against the computer object that represents the physical computer housing the resource. It must be assigned to the user or group from the trusted domain that you wish to grant access to. If the right is allowed, the ticket is issued. If the right is denied or not listed/not applicable to the requesting user, the ticket is not issued and access will not be granted since authorization cannot proceed. It is important to note that this process is only performed against TGS requests originating in a foreign realm/domain for which the trust relationship's TDO (trusted domain object) indicates SA as opposed to forest wide authentication. Before a session ticket can be issued a requesting client must possess a TGT issued by a KDC authoritative over the server holding the target service. Upon requesting initial auth., the KDC in the trusting domain decrypts the TGS referral, validates the authenticator and, if valid, constructs a new TGT containing a near bit for bit copy of the PAC from the original ticket (PAC = privileged attribute certificate). At this juncture, a new SID is injected into the PAC dependant upon the trust's authentication type; selective or forest-wide. * If forest wide, the SID is This Organization = Well-known group = S-1-5-15 * If selective, the SID is Other Organization = Well-known group = S-1-5-1000 So how do we know whether or not to invoke this new behavior and which SID should be injected during the TGT's construction? We do that by determining where the ticket request originated. If memory serves, each ticket contains an attribute known as the transited path attribute which maintains a list of the domains/realms through which the ticket has passed to get here thereby allowing us to determine behaviors relevant to the ticket's origin. The presence of the Other Org SID within a TGT dictates that the new behavior (the extra validity check) must be used before issuing a session ticket. Since this behavior is only known to a 2003+ KDC, the need for a functional level is imposed. SA is also supported for downlevel NTLM-only clients ... they use a mechanism known as pass-through authentication in order to dynamically inject additional domain relevant SIDs ... this allows the DCs to detect the presence of the Other Org SID and perform the new validity check before returning the newly formed token (or not). Note also that since This and Other Org are SIDs (and therefore security principals), they can be assigned access to resources allowing you to permit or deny access to a any resource based on whether the request originated within a domain that is considered as part of _our_ organization or not. I've found it useful to keep the following in mind; when creating a trust between 2 domains or forests, treat the authentication type as follows - * If selective auth. is used then we're saying that we have 2 separate organizations wishing solely to share resources when suitable * If forest/domain-wide auth. is used then we're saying that although we have two isolated domains they still represent one organization and additional validity checks are not necessary Hope this proves useful ... that's my post quota for '05 ;-) -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Monday, January 10, 2005 8:59 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Forest trusts vs trusts within forests Actually Dean, would like to hear that explanation as to why if it's not too much trouble. It often helps to make the idea stick :) As for the replication, Dave I understood the replication differences to be more for security reasons than performance etc. Something along the lines of not putting information where it wasn't absolutely needed anyway. Was I off on that? Much of the conversation has been around protecting assets should some event occur. I get the sense that there is an operational component to this and that you have a well
RE: [ActiveDir] Forest trusts vs trusts within forests
Ummm, yeah - I do. -rtk -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, January 07, 2005 5:22 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Forest trusts vs trusts within forests Does nobody but me like or even prefer stub zones? ;-) -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Friday, January 07, 2005 5:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Forest trusts vs trusts within forests I'd say JFK jr. answered it between the lines ;-) Happy New Year John and all! A domain in a separate forest with a trust to another forest will be less risky than a domain within the same forest - esp. under the circumstances that Dave described (such as limited physical security in the remote offices). So without going in details, with the information given I'd say two forests + trusts is a valid choice. If you require Kerberos auth. between the two domains (in the two forests), then both would need to run 2003. Otherwise it'll be a NT4 style external trust using NTLM auth. Naturally you'll have a little more hassle with DNS, but the second domain/forest could certainly use a child zone of the existing forest (e.g. 1st-dommain = company.com, 2nd-domain = child.company.com) and will need to setup your zone transfers or forwarding appropriately (again something which is done more easily with Win2003's conditional forwarding...) /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Friday, January 07, 2005 11:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Forest trusts vs trusts within forests Out of curiosity, did you get your question answered? The original that I read was that you wanted to know if you had two separate forests with trusts, would that create the same risks as if they were in the same forest. I *think* I read that correctly. I think John had a lot of great information in there, but I got to the thread too late which makes it harder to read and tell what was said etc. Just curious mostly. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A Sent: Friday, January 07, 2005 3:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Forest trusts vs trusts within forests Thanks John. To answer your questions: 1) the topology is hub/spoke. I would put a couple DCs for the new forest in the hub location. 2) Regarding replication, most of these sites have few to no Exchange users - those that do use OWA. So, I'm not worried losing the common GC that a single forest provides. I'll need to work with the Exchange team to see if/how any future plans impact this assessment, of course. Bandwidth is not the issue for wanting to compartmentalize replication. It's more about having a r/w copy of the internal directory at all of these sites that have no use for it. 3) The applications would by and large be at the central location. Some could live in the second forest (see #1). I'm certain that the business will want some of these users to access some apps in the internal forest, though- hence the need to trust the new forest. I'm also sure that our support people will want the new forest to trust the internal forest to make it easier to support. There's no illusion on my part that any configuration gives me a 100% security guarantee - if there was, someone would have found it an all of us in info security would have to find real jobs! Thanks again for the insights. I truly appreciate getting a sanity check. Around my company I'm the one people go to for AD expertise, so when I need to bounce things off of people it's often on this list. Happy Friday! Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Reijnders Sent: Friday, January 07, 2005 10:36 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Forest trusts vs trusts within forests Hi David, Take 2 ;-). See inline comments for my ideas. 1) we have some remote sites with workstations that authenticate to the domain so they can be managed with GPOs and software distribution. They have no real need to access MS resources at the main site. In some cases, there are enough of these workstations to warrant a local DC. We don't want DCs for the one and only existing domain in some of these locations, because we can't always control physical access to them. An isolated forest (no trusts) for these would protect the internal forest in the event the new forest was compromised, compartmentalizing the damage. I'm interested in the physical structure of your network
RE: [ActiveDir] Forest trusts vs trusts within forests
Title: Message First, thanks to all of you for the many well-reasoned replies to my post. You've confirmed some things for me and filled in some blanks. I'll try to answer the questions that some of you asked and see what you think. The motivations for considering another forest are the following: 1) we havesome remote sites with workstations that authenticate to the domain so they can be managed with GPOs and software distribution. They have no real need to access MS resources at the main site. In some cases, there are enough of these workstations to warrant a local DC. We don't want DCs for the one and only existing domain in some of these locations, because we can't always control physical access to them. An isolatedforest (no trusts) for these would protect the internal forest in the event the new forest was compromised, compartmentalizing the damage. 2) there's no need to replicate the thousands of internal user and computer accounts to the locations mentioned above - a new domain, whether it's in a new forest or not, would eliminate this unwanted replication. 3)some applicationsrequire access by vendors, suppliers, etc. There is some desire to keep such accounts physically seperate from the internal directory. Part of this was because many intranet resources are granted to 'authenticated users', and people have a hard time realizing that some clerk at one of our suppliers is just as much an 'authenticated user' as an internal employee[1]. If such accounts were in a completely isolated forest (no trusts), they would not be authenticated users in our internal domain. Of course, you and I both know that sooner or later (most likely sooner) there will be an absolute requirement to grant access to resources in one domain for users from another. I can easily see such needs in both directions here. So, trusts will be required and the "complete" isolation is gone. What I'm trying to figure out is whethera seperate forest with trusts in both directions (with SA and SID Filtering)gets me closer to the objective than a new domain in the existing forest. It seems to me that a new domain in the existing forest would take care of #2, but not the other issues, which brings up the new forest idea. I just don't want to introduce a new forest only to find that the required trusts put me right back in the same situation as if I had just added a child domain to the existing forest. Comments ? One more question - one document I read indicated that Selective Authentication works as long as the domain holding the resources is 2000 Native or better. Other things seem to indicate that both domains must be at W2K3 FFL. Will SA and SID filtering work if the new domain is W2K3 FFL and the old one is at W2K Native ? [1]Yeah, I know that I could put them in another OU, and the resources should really be ACLed so only intended groups have access instead of relying on 'authenticated users'. Maybe that's the path I should push for regarding #3 - your comments are welcome! -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John ReijndersSent: Friday, January 07, 2005 1:42 AMTo: 'ActiveDir@mail.activedir.org'Subject: RE: [ActiveDir] Forest trusts vs trusts within forests Happy New Year to you as well! In order to make a good decision for yourself whether or not you can and need to protect yourself against clever DomaAdmins, Service Admins and/or people with physical access to your DC's some extra info: Ways to bypass standard security: - Add the Enterprise Admin SID to your token (ex in you SidHistory). This can be done by using a 'improved' version of kerberos.dll, which will add the enterpr adm sid to every service ticket. - You can modify the system software or Directory db to bypass sec checks by: o Changing the default sec.descriptor for an objclass o Add a user to the enterprise adm Univ.Group on a GC o Execute a logon script in a site GPO - Or schedule an AT job which runs under local system credentials. (Partial) solutions to these problems are: Delegation of control Physical protection of ALL DCs SID filtering (enabled by default) Pro active Monitoring (!) Multiple Forests (!!) Some benefits of W2K3 trusts: Transitive (not really a sexy feature in you 2 single dom forest design) You can use kerberos logon in stead of NTLM. You can use both implicit and explicit UPN logon over the trust Selective Authentication (which is disabled by default and applies to external, realm and forest trusts): This option provides a method that you can use to achieve better granularity for authentication requests that come across a trust. When you enable it, all authentication is examined on the service DC. The service DC verifies that t
RE: [ActiveDir] Forest trusts vs trusts within forests
Title: Message Hi David! First the simple answer ... I'm working on a more complete text for the rest of your story ;-) One more question - one document I read indicated that Selective Authentication works as long as the domain holding the resources is 2000 Native or better. Other things seem to indicate that both domains must be at W2K3 FFL. Will SA and SID filtering work if the new domain is W2K3 FFL and the old one is at W2K Native ? For SA to be able to work, the DOMAIN in which SA will be applied has to at W2003 functional level. Cheers! John Reijnders From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A Sent: vrijdag 7 januari 2005 16:51 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Forest trusts vs trusts within forests First, thanks to all of you for the many well-reasoned replies to my post. You've confirmed some things for me and filled in some blanks. I'll try to answer the questions that some of you asked and see what you think. The motivations for considering another forest are the following: 1) we havesome remote sites with workstations that authenticate to the domain so they can be managed with GPOs and software distribution. They have no real need to access MS resources at the main site. In some cases, there are enough of these workstations to warrant a local DC. We don't want DCs for the one and only existing domain in some of these locations, because we can't always control physical access to them. An isolatedforest (no trusts) for these would protect the internal forest in the event the new forest was compromised, compartmentalizing the damage. 2) there's no need to replicate the thousands of internal user and computer accounts to the locations mentioned above - a new domain, whether it's in a new forest or not, would eliminate this unwanted replication. 3)some applicationsrequire access by vendors, suppliers, etc. There is some desire to keep such accounts physically seperate from the internal directory. Part of this was because many intranet resources are granted to 'authenticated users', and people have a hard time realizing that some clerk at one of our suppliers is just as much an 'authenticated user' as an internal employee[1]. If such accounts were in a completely isolated forest (no trusts), they would not be authenticated users in our internal domain. Of course, you and I both know that sooner or later (most likely sooner) there will be an absolute requirement to grant access to resources in one domain for users from another. I can easily see such needs in both directions here. So, trusts will be required and the complete isolation is gone. What I'm trying to figure out is whethera seperate forest with trusts in both directions (with SA and SID Filtering)gets me closer to the objective than a new domain in the existing forest. It seems to me that a new domain in the existing forest would take care of #2, but not the other issues, which brings up the new forest idea. I just don't want to introduce a new forest only to find that the required trusts put me right back in the same situation as if I had just added a child domain to the existing forest. Comments ? One more question - one document I read indicated that Selective Authentication works as long as the domain holding the resources is 2000 Native or better. Other things seem to indicate that both domains must be at W2K3 FFL. Will SA and SID filtering work if the new domain is W2K3 FFL and the old one is at W2K Native ? [1]Yeah, I know that I could put them in another OU, and the resources should really be ACLed so only intended groups have access instead of relying on 'authenticated users'. Maybe that's the path I should push for regarding #3 - your comments are welcome! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Reijnders Sent: Friday, January 07, 2005 1:42 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Forest trusts vs trusts within forests Happy New Year to you as well! In order to make a good decision for yourself whether or not you can and need to protect yourself against clever DomaAdmins, Service Admins and/or people with physical access to your DC's some extra info: Ways to bypass standard security: - Add the Enterprise Admin SID to your token (ex in you SidHistory). This can be done by using a 'improved' version of kerberos.dll, which will add the enterpr adm sid to every service ticket. - You can modify the system software or Directory db to bypass sec checks by: o Changing the default sec.descriptor for an objclass o Add a user to the enterprise adm Univ.Group on a GC o Execute a logon script in a site GPO - Or schedule an AT job which runs under local system credentials. (Partial) solutions to these problems are: · Delegation of control · Physical protection
RE: [ActiveDir] Forest trusts vs trusts within forests
Title: Message Hi David, Take 2 ;-). See inline comments for my ideas. 1) we havesome remote sites with workstations that authenticate to the domain so they can be managed with GPOs and software distribution. They have no real need to access MS resources at the main site. In some cases, there are enough of these workstations to warrant a local DC. We don't want DCs for the one and only existing domain in some of these locations, because we can't always control physical access to them. An isolatedforest (no trusts) for these would protect the internal forest in the event the new forest was compromised, compartmentalizing the damage. I'm interested in the physical structure of your network. Are the 'evil' sites fully connected to all other sites (centrally and the other 'evil' sites), or is the network topology more like a hub-and-spoke model? Implementing a separate domain or forest for the 'evil' sites would require some sort of connectivity between them or the implementation of DC for this domain/forest in your centrally and trustworthy site. But you're right that an isolated forest would take care of this. 2) there's no need to replicate the thousands of internal user and computer accounts to the locations mentioned above - a new domain, whether it's in a new forest or not, would eliminate this unwanted replication. There's no need to replicate the usr and cptr accounts, but there might be a need to replicate things like GC info for an Exchange address book? Replication has become very efficient in W2003 and I wouldn't be surprised if replication traffic wouldn't pose a problem. It really depends on the bandwith you have, but I havn't seen many implementations in which replication traffic forced me to implements multiple forest/domains. 3)some applicationsrequire access by vendors, suppliers, etc. There is some desire to keep such accounts physically seperate from the internal directory. Part of this was because many intranet resources are granted to 'authenticated users', and people have a hard time realizing that some clerk at one of our suppliers is just as much an 'authenticated user' as an internal employee[1]. If such accounts were in a completely isolated forest (no trusts), they would not be authenticated users in our internal domain. Yep! This calls for a federated forest construction. But are these applications located at the 'evil' sites or is this a totally different geographical spreading that might require an additional forest in the centrally managed site? What I'm trying to figure out is whethera seperate forest with trusts in both directions (with SA and SID Filtering)gets me closer to the objective than a new domain in the existing forest. It seems to me that a new domain in the existing forest would take care of #2, but not the other issues, which brings up the new forest idea. I just don't want to introduce a new forest only to find that the required trusts put me right back in the same situation as if I had just added a child domain to the existing forest. Comments ? The most obvious way to ensure 1 and 3 (I don't consider 2 to be a 'real' issue, but just one of those arguments that comes in handy to add another one to the list of pro's to achieve your goal ;-), is a separate Forest. This does not put you right back in the same situation, because several extra steps are introduced that makes it tougher to do whatever you're not allowed to do on the other side. From a technical point of view, the FedFor construction with SA and Sidfiltering (be aware that this breaks SIDHistory!) is a very solid solution. This does not give you a 100% safety garanty. You will need to monitor your environment (non techical/social hacking can be far more dangerous!) for strange events. [1]Yeah, I know that I could put them in another OU, and the resources should really be ACLed so only intended groups have access instead of relying on 'authenticated users'. Maybe that's the path I should push for regarding #3 - your comments are welcome! Duh ... No further comments your honour! I rest my case ... Cheers! John Reijnders -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Reijnders Sent: Friday, January 07, 2005 1:42 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Forest trusts vs trusts within forests Happy New Year to you as well! In order to make a good decision for yourself whether or not you can and need to protect yourself against clever DomaAdmins, Service Admins and/or people with physical access to your DC's some extra info: Ways to bypass standard security: - Add the Enterprise Admin SID to your token (ex in you SidHistory). This can be done by using a 'improved' version of kerberos.dll, which will add the enterpr adm sid to every service ticket. - You can modify the system software or Directory db to bypass sec checks by: o Changing the default
RE: [ActiveDir] Forest trusts vs trusts within forests
Title: Message David, As with most things, its acost/benefit question. Managing an additional forestadds non-trivial costs tothe equation, but provides the security it seems you are looking for. There's a interesting paper on risk analysis at http://www-2.cs.cmu.edu/~shawnb/SREIS.pdf.It describes a methodlogy for assessing IT risk. Basically, you identify possible threats and rank them according to level of concern, Then for the top N threats you classify the possible consequences of a successful attack, e.g. compromised data, lost productivity, regulatory fines, lost prestige, etc. Finally you assess attack frequencies and calculate a threat index for each threat. The threat index provides a relative evaluation of the importance of particular threat. Then you compare the TI ranking with the initial ranking and resolve the differences. The idea is to focus on the threats with the highest index. The value of the process isn't the actual calculation of the TI; the value is in actually sitting down with your security people and managers and thinking about threats and consequences, and comparing the potential costs of attack to the costs of mitigation. Its a good process and very enlightening, and it forces you to get the right people involved. -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David ASent: Friday, January 07, 2005 8:51 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Forest trusts vs trusts within forests First, thanks to all of you for the many well-reasoned replies to my post. You've confirmed some things for me and filled in some blanks. I'll try to answer the questions that some of you asked and see what you think. The motivations for considering another forest are the following: 1) we havesome remote sites with workstations that authenticate to the domain so they can be managed with GPOs and software distribution. They have no real need to access MS resources at the main site. In some cases, there are enough of these workstations to warrant a local DC. We don't want DCs for the one and only existing domain in some of these locations, because we can't always control physical access to them. An isolatedforest (no trusts) for these would protect the internal forest in the event the new forest was compromised, compartmentalizing the damage. 2) there's no need to replicate the thousands of internal user and computer accounts to the locations mentioned above - a new domain, whether it's in a new forest or not, would eliminate this unwanted replication. 3)some applicationsrequire access by vendors, suppliers, etc. There is some desire to keep such accounts physically seperate from the internal directory. Part of this was because many intranet resources are granted to 'authenticated users', and people have a hard time realizing that some clerk at one of our suppliers is just as much an 'authenticated user' as an internal employee[1]. If such accounts were in a completely isolated forest (no trusts), they would not be authenticated users in our internal domain. Of course, you and I both know that sooner or later (most likely sooner) there will be an absolute requirement to grant access to resources in one domain for users from another. I can easily see such needs in both directions here. So, trusts will be required and the "complete" isolation is gone. What I'm trying to figure out is whethera seperate forest with trusts in both directions (with SA and SID Filtering)gets me closer to the objective than a new domain in the existing forest. It seems to me that a new domain in the existing forest would take care of #2, but not the other issues, which brings up the new forest idea. I just don't want to introduce a new forest only to find that the required trusts put me right back in the same situation as if I had just added a child domain to the existing forest. Comments ? One more question - one document I read indicated that Selective Authentication works as long as the domain holding the resources is 2000 Native or better. Other things seem to indicate that both domains must be at W2K3 FFL. Will SA and SID filtering work if the new domain is W2K3 FFL and the old one is at W2K Native ? [1]Yeah, I know that I could put them in another OU, and the resources should really be ACLed so only intended groups have access instead of relying on 'authenticated users'. Maybe that's the path I should push for regarding #3 - your comments are welcome! -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John ReijndersSent: Friday, January 07, 2005 1:42 AMTo: 'ActiveDir@mail.activedir.org'Subject: RE: [ActiveDir] Forest trusts vs trusts within forests Happy New Year to you as well! In order to make a good decision for yourself whether or not you can and need to protect yourself against clever DomaAdmins, Service
RE: [ActiveDir] Forest trusts vs trusts within forests
Title: Message Thanks John. To answer your questions: 1) the topology is hub/spoke. I would put a couple DCs for the new forest in the hub location. 2) Regarding replication, most of these sites have few to no Exchange users - those that do use OWA. So, I'm not worried losing the common GC that a single forest provides. I'll need to work with the Exchange team to see if/how any future plans impact this assessment, of course.Bandwidth isnot the issue for wanting to compartmentalize replication. It's more about having a r/w copy of the internal directory at all of these sites that have no use for it. 3) The applications would by and large be at the central location. Some could live in the second forest (see #1). I'm certain that the business will want some of these users to access some apps in the internal forest, though- hence the need to trust the new forest. I'm also sure that our support people will want the new forest to trust the internal forest to make it easier to support. There's no illusion on my part that any configuration gives me a 100% security guarantee - if there was, someone would have found it an all of us in info security would have to find real jobs! Thanks again for the insights. I truly appreciate getting a sanity check. Around my company I'm the one people go to for AD expertise, so when I need to bounce things off of people it's often on this list. Happy Friday! Dave -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John ReijndersSent: Friday, January 07, 2005 10:36 AMTo: 'ActiveDir@mail.activedir.org'Subject: RE: [ActiveDir] Forest trusts vs trusts within forests Hi David, Take 2 ;-). See inline comments for my ideas. 1) we havesome remote sites with workstations that authenticate to the domain so they can be managed with GPOs and software distribution. They have no real need to access MS resources at the main site. In some cases, there are enough of these workstations to warrant a local DC. We don't want DCs for the one and only existing domain in some of these locations, because we can't always control physical access to them. An isolatedforest (no trusts) for these would protect the internal forest in the event the new forest was compromised, compartmentalizing the damage. I'm interested in the physical structure of your network. Are the 'evil' sites fully connected to all other sites (centrally and the other 'evil' sites), or is the network topology more like a hub-and-spoke model? Implementing a separate domain or forest for the 'evil' sites would require some sort of connectivity between them or the implementation of DC for this domain/forest in your centrally and trustworthy site. But you're right that an isolated forest would take care of this. 2) there's no need to replicate the thousands of internal user and computer accounts to the locations mentioned above - a new domain, whether it's in a new forest or not, would eliminate this unwanted replication. There's no need to replicate the usr and cptr accounts, but there might be a need to replicate things like GC info for an Exchange address book? Replication has become very efficient in W2003 and I wouldn't be surprised if replication traffic wouldn't pose a problem. It really depends on the bandwith you have, but I havn't seen many implementations in which replication traffic forced me to implements multiple forest/domains. 3)some applicationsrequire access by vendors, suppliers, etc. There is some desire to keep such accounts physically seperate from the internal directory. Part of this was because many intranet resources are granted to 'authenticated users', and people have a hard time realizing that some clerk at one of our suppliers is just as much an 'authenticated user' as an internal employee[1]. If such accounts were in a completely isolated forest (no trusts), they would not be authenticated users in our internal domain. Yep! This calls for a federated forest construction. But are these applications located at the 'evil' sites or is this a totally different geographical spreading that might require an additional forest in the centrally managed site? What I'm trying to figure out is whethera seperate forest with trusts in both directions (with SA and SID Filtering)gets me closer to the objective than a new domain in the existing forest. It seems to me that a new domain in the existing forest would take care of #2, but not the other issues, which brings up the new forest idea. I just don't want to introduce a new forest only to find that the required trusts put me right back in the same situation as if I had just added a child domain to the existing forest. Comments ? The most obvious way to ensure 1 and 3 (I don't consider 2 to be a 'real' issue
RE: [ActiveDir] Forest trusts vs trusts within forests
Out of curiosity, did you get your question answered? The original that I read was that you wanted to know if you had two separate forests with trusts, would that create the same risks as if they were in the same forest. I *think* I read that correctly. I think John had a lot of great information in there, but I got to the thread too late which makes it harder to read and tell what was said etc. Just curious mostly. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A Sent: Friday, January 07, 2005 3:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Forest trusts vs trusts within forests Thanks John. To answer your questions: 1) the topology is hub/spoke. I would put a couple DCs for the new forest in the hub location. 2) Regarding replication, most of these sites have few to no Exchange users - those that do use OWA. So, I'm not worried losing the common GC that a single forest provides. I'll need to work with the Exchange team to see if/how any future plans impact this assessment, of course. Bandwidth is not the issue for wanting to compartmentalize replication. It's more about having a r/w copy of the internal directory at all of these sites that have no use for it. 3) The applications would by and large be at the central location. Some could live in the second forest (see #1). I'm certain that the business will want some of these users to access some apps in the internal forest, though- hence the need to trust the new forest. I'm also sure that our support people will want the new forest to trust the internal forest to make it easier to support. There's no illusion on my part that any configuration gives me a 100% security guarantee - if there was, someone would have found it an all of us in info security would have to find real jobs! Thanks again for the insights. I truly appreciate getting a sanity check. Around my company I'm the one people go to for AD expertise, so when I need to bounce things off of people it's often on this list. Happy Friday! Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Reijnders Sent: Friday, January 07, 2005 10:36 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Forest trusts vs trusts within forests Hi David, Take 2 ;-). See inline comments for my ideas. 1) we have some remote sites with workstations that authenticate to the domain so they can be managed with GPOs and software distribution. They have no real need to access MS resources at the main site. In some cases, there are enough of these workstations to warrant a local DC. We don't want DCs for the one and only existing domain in some of these locations, because we can't always control physical access to them. An isolated forest (no trusts) for these would protect the internal forest in the event the new forest was compromised, compartmentalizing the damage. I'm interested in the physical structure of your network. Are the 'evil' sites fully connected to all other sites (centrally and the other 'evil' sites), or is the network topology more like a hub-and-spoke model? Implementing a separate domain or forest for the 'evil' sites would require some sort of connectivity between them or the implementation of DC for this domain/forest in your centrally and trustworthy site. But you're right that an isolated forest would take care of this. 2) there's no need to replicate the thousands of internal user and computer accounts to the locations mentioned above - a new domain, whether it's in a new forest or not, would eliminate this unwanted replication. There's no need to replicate the usr and cptr accounts, but there might be a need to replicate things like GC info for an Exchange address book? Replication has become very efficient in W2003 and I wouldn't be surprised if replication traffic wouldn't pose a problem. It really depends on the bandwith you have, but I havn't seen many implementations in which replication traffic forced me to implements multiple forest/domains. 3) some applications require access by vendors, suppliers, etc. There is some desire to keep such accounts physically seperate from the internal directory. Part of this was because many intranet resources are granted to 'authenticated users', and people have a hard time realizing that some clerk at one of our suppliers is just as much an 'authenticated user' as an internal employee[1]. If such accounts were in a completely isolated forest (no trusts), they would not be authenticated users in our internal domain. Yep! This calls for a federated forest construction. But are these applications located at the 'evil' sites or is this a totally different geographical spreading that might
RE: [ActiveDir] Forest trusts vs trusts within forests
I'd say JFK jr. answered it between the lines ;-) Happy New Year John and all! A domain in a separate forest with a trust to another forest will be less risky than a domain within the same forest - esp. under the circumstances that Dave described (such as limited physical security in the remote offices). So without going in details, with the information given I'd say two forests + trusts is a valid choice. If you require Kerberos auth. between the two domains (in the two forests), then both would need to run 2003. Otherwise it'll be a NT4 style external trust using NTLM auth. Naturally you'll have a little more hassle with DNS, but the second domain/forest could certainly use a child zone of the existing forest (e.g. 1st-dommain = company.com, 2nd-domain = child.company.com) and will need to setup your zone transfers or forwarding appropriately (again something which is done more easily with Win2003's conditional forwarding...) /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Friday, January 07, 2005 11:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Forest trusts vs trusts within forests Out of curiosity, did you get your question answered? The original that I read was that you wanted to know if you had two separate forests with trusts, would that create the same risks as if they were in the same forest. I *think* I read that correctly. I think John had a lot of great information in there, but I got to the thread too late which makes it harder to read and tell what was said etc. Just curious mostly. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A Sent: Friday, January 07, 2005 3:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Forest trusts vs trusts within forests Thanks John. To answer your questions: 1) the topology is hub/spoke. I would put a couple DCs for the new forest in the hub location. 2) Regarding replication, most of these sites have few to no Exchange users - those that do use OWA. So, I'm not worried losing the common GC that a single forest provides. I'll need to work with the Exchange team to see if/how any future plans impact this assessment, of course. Bandwidth is not the issue for wanting to compartmentalize replication. It's more about having a r/w copy of the internal directory at all of these sites that have no use for it. 3) The applications would by and large be at the central location. Some could live in the second forest (see #1). I'm certain that the business will want some of these users to access some apps in the internal forest, though- hence the need to trust the new forest. I'm also sure that our support people will want the new forest to trust the internal forest to make it easier to support. There's no illusion on my part that any configuration gives me a 100% security guarantee - if there was, someone would have found it an all of us in info security would have to find real jobs! Thanks again for the insights. I truly appreciate getting a sanity check. Around my company I'm the one people go to for AD expertise, so when I need to bounce things off of people it's often on this list. Happy Friday! Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Reijnders Sent: Friday, January 07, 2005 10:36 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Forest trusts vs trusts within forests Hi David, Take 2 ;-). See inline comments for my ideas. 1) we have some remote sites with workstations that authenticate to the domain so they can be managed with GPOs and software distribution. They have no real need to access MS resources at the main site. In some cases, there are enough of these workstations to warrant a local DC. We don't want DCs for the one and only existing domain in some of these locations, because we can't always control physical access to them. An isolated forest (no trusts) for these would protect the internal forest in the event the new forest was compromised, compartmentalizing the damage. I'm interested in the physical structure of your network. Are the 'evil' sites fully connected to all other sites (centrally and the other 'evil' sites), or is the network topology more like a hub-and-spoke model? Implementing a separate domain or forest for the 'evil' sites would require some sort of connectivity between them or the implementation of DC for this domain/forest in your centrally and trustworthy site. But you're right that an isolated forest would take care of this. 2) there's no need to replicate the thousands of internal user and computer accounts to the locations mentioned above - a new domain, whether it's in a new forest or not, would eliminate
RE: [ActiveDir] Forest trusts vs trusts within forests
Al - that was basically the first question, and I did get the confirmation I was looking for. The other part was regarding the 'functional level' requirements for SA. I had read conflicting things there - the one that troubled me was this: To enable selective authentication on forest trusts, the trusting forest in which shared resources are located must have the forest functional level set to Windows Server 2003. To enable selective authentication on external trusts, the trusting domain in which shared resources are located must have the domain functional level set to Windows 2000 native. (From http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/te chref/en-us/Default.asp?url=/Resources/Documentation/windowsserv/2003/al l/techref/en-us/w2k3tr_trust_security.asp) The second sentence sounds as though the trusting domain can be at Win2K Native and still use SA on an external trust. The info I see other places (including a post from John) sounds like the trusting domain must be at least Win2K3 Domain Functional Level. I'm not still not sure which is true, as I haven't tried it in the lab yet :) My guess is that SA is not available til the trusting domain (which would have to stamp the Other Organization SID in the token) is at W2K3 DFL. Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Friday, January 07, 2005 4:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Forest trusts vs trusts within forests Out of curiosity, did you get your question answered? The original that I read was that you wanted to know if you had two separate forests with trusts, would that create the same risks as if they were in the same forest. I *think* I read that correctly. I think John had a lot of great information in there, but I got to the thread too late which makes it harder to read and tell what was said etc. Just curious mostly. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A Sent: Friday, January 07, 2005 3:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Forest trusts vs trusts within forests Thanks John. To answer your questions: 1) the topology is hub/spoke. I would put a couple DCs for the new forest in the hub location. 2) Regarding replication, most of these sites have few to no Exchange users - those that do use OWA. So, I'm not worried losing the common GC that a single forest provides. I'll need to work with the Exchange team to see if/how any future plans impact this assessment, of course. Bandwidth is not the issue for wanting to compartmentalize replication. It's more about having a r/w copy of the internal directory at all of these sites that have no use for it. 3) The applications would by and large be at the central location. Some could live in the second forest (see #1). I'm certain that the business will want some of these users to access some apps in the internal forest, though- hence the need to trust the new forest. I'm also sure that our support people will want the new forest to trust the internal forest to make it easier to support. There's no illusion on my part that any configuration gives me a 100% security guarantee - if there was, someone would have found it an all of us in info security would have to find real jobs! Thanks again for the insights. I truly appreciate getting a sanity check. Around my company I'm the one people go to for AD expertise, so when I need to bounce things off of people it's often on this list. Happy Friday! Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Reijnders Sent: Friday, January 07, 2005 10:36 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Forest trusts vs trusts within forests Hi David, Take 2 ;-). See inline comments for my ideas. 1) we have some remote sites with workstations that authenticate to the domain so they can be managed with GPOs and software distribution. They have no real need to access MS resources at the main site. In some cases, there are enough of these workstations to warrant a local DC. We don't want DCs for the one and only existing domain in some of these locations, because we can't always control physical access to them. An isolated forest (no trusts) for these would protect the internal forest in the event the new forest was compromised, compartmentalizing the damage. I'm interested in the physical structure of your network. Are the 'evil' sites fully connected to all other sites (centrally and the other 'evil' sites), or is the network topology more like a hub-and-spoke model? Implementing a separate domain or forest for the 'evil' sites would require some sort of connectivity between them or the implementation of DC for this domain
RE: [ActiveDir] Forest trusts vs trusts within forests
For forest trust: must be forest functional level 2 For external trust: must be domain functional level 2 If an explanation as to why is desirable, please ask ... it's lengthy. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A Sent: Friday, January 07, 2005 5:33 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Forest trusts vs trusts within forests Al - that was basically the first question, and I did get the confirmation I was looking for. The other part was regarding the 'functional level' requirements for SA. I had read conflicting things there - the one that troubled me was this: To enable selective authentication on forest trusts, the trusting forest in which shared resources are located must have the forest functional level set to Windows Server 2003. To enable selective authentication on external trusts, the trusting domain in which shared resources are located must have the domain functional level set to Windows 2000 native. (From http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/te chref/en-us/Default.asp?url=/Resources/Documentation/windowsserv/2003/al l/techref/en-us/w2k3tr_trust_security.asp) The second sentence sounds as though the trusting domain can be at Win2K Native and still use SA on an external trust. The info I see other places (including a post from John) sounds like the trusting domain must be at least Win2K3 Domain Functional Level. I'm not still not sure which is true, as I haven't tried it in the lab yet :) My guess is that SA is not available til the trusting domain (which would have to stamp the Other Organization SID in the token) is at W2K3 DFL. Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Friday, January 07, 2005 4:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Forest trusts vs trusts within forests Out of curiosity, did you get your question answered? The original that I read was that you wanted to know if you had two separate forests with trusts, would that create the same risks as if they were in the same forest. I *think* I read that correctly. I think John had a lot of great information in there, but I got to the thread too late which makes it harder to read and tell what was said etc. Just curious mostly. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A Sent: Friday, January 07, 2005 3:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Forest trusts vs trusts within forests Thanks John. To answer your questions: 1) the topology is hub/spoke. I would put a couple DCs for the new forest in the hub location. 2) Regarding replication, most of these sites have few to no Exchange users - those that do use OWA. So, I'm not worried losing the common GC that a single forest provides. I'll need to work with the Exchange team to see if/how any future plans impact this assessment, of course. Bandwidth is not the issue for wanting to compartmentalize replication. It's more about having a r/w copy of the internal directory at all of these sites that have no use for it. 3) The applications would by and large be at the central location. Some could live in the second forest (see #1). I'm certain that the business will want some of these users to access some apps in the internal forest, though- hence the need to trust the new forest. I'm also sure that our support people will want the new forest to trust the internal forest to make it easier to support. There's no illusion on my part that any configuration gives me a 100% security guarantee - if there was, someone would have found it an all of us in info security would have to find real jobs! Thanks again for the insights. I truly appreciate getting a sanity check. Around my company I'm the one people go to for AD expertise, so when I need to bounce things off of people it's often on this list. Happy Friday! Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Reijnders Sent: Friday, January 07, 2005 10:36 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Forest trusts vs trusts within forests Hi David, Take 2 ;-). See inline comments for my ideas. 1) we have some remote sites with workstations that authenticate to the domain so they can be managed with GPOs and software distribution. They have no real need to access MS resources at the main site. In some cases, there are enough of these workstations to warrant a local DC. We don't want DCs for the one and only existing domain in some of these locations, because we can't always control physical access to them. An isolated forest (no trusts
RE: [ActiveDir] Forest trusts vs trusts within forests
Does nobody but me like or even prefer stub zones? ;-) -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Friday, January 07, 2005 5:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Forest trusts vs trusts within forests I'd say JFK jr. answered it between the lines ;-) Happy New Year John and all! A domain in a separate forest with a trust to another forest will be less risky than a domain within the same forest - esp. under the circumstances that Dave described (such as limited physical security in the remote offices). So without going in details, with the information given I'd say two forests + trusts is a valid choice. If you require Kerberos auth. between the two domains (in the two forests), then both would need to run 2003. Otherwise it'll be a NT4 style external trust using NTLM auth. Naturally you'll have a little more hassle with DNS, but the second domain/forest could certainly use a child zone of the existing forest (e.g. 1st-dommain = company.com, 2nd-domain = child.company.com) and will need to setup your zone transfers or forwarding appropriately (again something which is done more easily with Win2003's conditional forwarding...) /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Friday, January 07, 2005 11:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Forest trusts vs trusts within forests Out of curiosity, did you get your question answered? The original that I read was that you wanted to know if you had two separate forests with trusts, would that create the same risks as if they were in the same forest. I *think* I read that correctly. I think John had a lot of great information in there, but I got to the thread too late which makes it harder to read and tell what was said etc. Just curious mostly. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A Sent: Friday, January 07, 2005 3:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Forest trusts vs trusts within forests Thanks John. To answer your questions: 1) the topology is hub/spoke. I would put a couple DCs for the new forest in the hub location. 2) Regarding replication, most of these sites have few to no Exchange users - those that do use OWA. So, I'm not worried losing the common GC that a single forest provides. I'll need to work with the Exchange team to see if/how any future plans impact this assessment, of course. Bandwidth is not the issue for wanting to compartmentalize replication. It's more about having a r/w copy of the internal directory at all of these sites that have no use for it. 3) The applications would by and large be at the central location. Some could live in the second forest (see #1). I'm certain that the business will want some of these users to access some apps in the internal forest, though- hence the need to trust the new forest. I'm also sure that our support people will want the new forest to trust the internal forest to make it easier to support. There's no illusion on my part that any configuration gives me a 100% security guarantee - if there was, someone would have found it an all of us in info security would have to find real jobs! Thanks again for the insights. I truly appreciate getting a sanity check. Around my company I'm the one people go to for AD expertise, so when I need to bounce things off of people it's often on this list. Happy Friday! Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Reijnders Sent: Friday, January 07, 2005 10:36 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Forest trusts vs trusts within forests Hi David, Take 2 ;-). See inline comments for my ideas. 1) we have some remote sites with workstations that authenticate to the domain so they can be managed with GPOs and software distribution. They have no real need to access MS resources at the main site. In some cases, there are enough of these workstations to warrant a local DC. We don't want DCs for the one and only existing domain in some of these locations, because we can't always control physical access to them. An isolated forest (no trusts) for these would protect the internal forest in the event the new forest was compromised, compartmentalizing the damage. I'm interested in the physical structure of your network. Are the 'evil' sites fully connected to all other sites (centrally and the other 'evil' sites), or is the network topology more like a hub-and-spoke model? Implementing a separate domain or forest for the 'evil' sites would require some sort of connectivity
RE: [ActiveDir] Forest trusts vs trusts within forests
Without disagreeing with any of the points you made, don't you think multi-forest deployment is an "overkill" for what he's trying to achieve? Let's look at the SOW again: The motivations for considering another forest are the following: 1) we havesome remote sites with workstations that authenticate to the domain so they can be managed with GPOs and software distribution. They have no real need to access MS resources at the main site. In some cases, there are enough of these workstations to warrant a local DC. We don't want DCs for the one and only existing domain in some of these locations, because we can't always control physical access to them. An isolatedforest (no trusts) for these would protect the internal forest in the event the new forest was compromised, compartmentalizing the damage. OK, if he does implement a separate forest, he will still NEED Trusts in order to have any relationship between these forests, so we know that the NO TRUST aspect of this requirement can't be met. So, if there is TRUST, and the UNPROTECTED (throw-away) forest is compromise, the malicious 0wn3r now has the ability to compromise the PROTECTED forest as well. I know it is harder to do, but it is a reality 2) there's no need to replicate the thousands of internal user and computer accounts to the locations mentioned above - a new domain, whether it's in a new forest or not, would eliminate this unwanted replication. Someone already answered this previously, pointing to the enchanced compression and replication algorithm in 2K3. Even so, any replication "storm" will be mostly a one-time incident for the initial synch. So, we can eliminate this from the list of reasons to do a new Forest 3)some applicationsrequire access by vendors, suppliers, etc. There is some desire to keep such accounts physically seperate from the internal directory. Part of this was because many intranet resources are granted to 'authenticated users', and people have a hard time realizing that some clerk at one of our suppliers is just as much an 'authenticated user' as an internal employee[1]. If such accounts were in a completely isolated forest (no trusts), they would not be authenticated users in our internal domain. Again, the "no trust" assumption is really not borne out here, as there has to be a trust in order to make any of the other proposals work. Also, wrt applications and vendor accounts, I think the focus really needs to be on putting up an efficient and effective control/authentication/authorization/access mechanism if the applications use Windows accounts. If the applications use their own user accounts, then the "authenticated user" issue is irrelevant. The current permissioning practice that Daviddescribes above is THE issue here. Going into a SEPARATE forest will only shift the problem to another forest,rather than removing the problem. Now,if the permissioning (mal-)practicestill exists with the applications in the new forest, the same knowledgeable person can stillelevate privilegesand -by leveraging the TRUST -still create problems for the PROTECTED forest. Sincerely,Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP -Directory Services www.readymaids.com - we know ITwww.akomolafe.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Grillenmeier, GuidoSent: Fri 1/7/2005 2:24 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Forest trusts vs trusts within forests I'd say JFK jr. answered it between the lines ;-) Happy New Year John and all! A domain in a separate forest with a trust to another forest will be less risky than a domain within the same forest - esp. under the circumstances that Dave described (such as limited physical security in the remote offices). So without going in details, with the information given I'd say two forests + trusts is a valid choice. If you require Kerberos auth. between the two domains (in the two forests), then both would need to run 2003. Otherwise it'll be a "NT4 style" external trust using NTLM auth. Naturally you'll have a little more hassle with DNS, but the second domain/forest could certainly use a child zone of the existing forest (e.g. 1st-dommain = company.com, 2nd-domain = child.company.com) and will need to setup your zone transfers or forwarding appropriately (again something which is done more easily with Win2003's conditional forwarding...) /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Friday, January 07, 2005 11:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Forest trusts vs trusts within forests Out of curiosity, did you get your question answered? The original that I read was that you wanted to know if you had two separate forests with trusts, would that create the same risks as if they were in the same forest. I *think* I read that correctly. I think John
RE: [ActiveDir] Forest trusts vs trusts within forests
No, Dean. You are all alone in your own little "stubby" world :o) Actually, I use Stubs, especially in the scenario Guido described. I wouldn't introduce CF or secondaries in that situation. Sincerely,Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP -Directory Services www.readymaids.com - we know ITwww.akomolafe.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Dean WellsSent: Fri 1/7/2005 3:21 PMTo: Send - AD mailing listSubject: RE: [ActiveDir] Forest trusts vs trusts within forests Does nobody but me like or even prefer stub zones? ;-) -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Friday, January 07, 2005 5:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Forest trusts vs trusts within forests I'd say JFK jr. answered it between the lines ;-) Happy New Year John and all! A domain in a separate forest with a trust to another forest will be less risky than a domain within the same forest - esp. under the circumstances that Dave described (such as limited physical security in the remote offices). So without going in details, with the information given I'd say two forests + trusts is a valid choice. If you require Kerberos auth. between the two domains (in the two forests), then both would need to run 2003. Otherwise it'll be a "NT4 style" external trust using NTLM auth. Naturally you'll have a little more hassle with DNS, but the second domain/forest could certainly use a child zone of the existing forest (e.g. 1st-dommain = company.com, 2nd-domain = child.company.com) and will need to setup your zone transfers or forwarding appropriately (again something which is done more easily with Win2003's conditional forwarding...) /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Friday, January 07, 2005 11:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Forest trusts vs trusts within forests Out of curiosity, did you get your question answered? The original that I read was that you wanted to know if you had two separate forests with trusts, would that create the same risks as if they were in the same forest. I *think* I read that correctly. I think John had a lot of great information in there, but I got to the thread too late which makes it harder to read and tell what was said etc. Just curious mostly. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A Sent: Friday, January 07, 2005 3:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Forest trusts vs trusts within forests Thanks John. To answer your questions: 1) the topology is hub/spoke. I would put a couple DCs for the new forest in the hub location. 2) Regarding replication, most of these sites have few to no Exchange users - those that do use OWA. So, I'm not worried losing the common GC that a single forest provides. I'll need to work with the Exchange team to see if/how any future plans impact this assessment, of course. Bandwidth is not the issue for wanting to compartmentalize replication. It's more about having a r/w copy of the internal directory at all of these sites that have no use for it. 3) The applications would by and large be at the central location. Some could live in the second forest (see #1). I'm certain that the business will want some of these users to access some apps in the internal forest, though- hence the need to trust the new forest. I'm also sure that our support people will want the new forest to trust the internal forest to make it easier to support. There's no illusion on my part that any configuration gives me a 100% security guarantee - if there was, someone would have found it an all of us in info security would have to find real jobs! Thanks again for the insights. I truly appreciate getting a sanity check. Around my company I'm the one people go to for AD expertise, so when I need to bounce things off of people it's often on this list. Happy Friday! Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Reijnders Sent: Friday, January 07, 2005 10:36 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Forest trusts vs trusts within forests Hi David, Take 2 ;-). See inline comments for my ideas. 1) we have some remote sites with workstations that authenticate to the domain so they can be managed with GPOs and software distribution. They have no real need to access MS resources at the main site. In some cases, there are enough of these workstations to warrant a local DC. We don't want DCs for the one and only existing domain in some of these locations, because we can't always control physical access to them.
RE: [ActiveDir] Forest trusts vs trusts within forests
I've seen lots of customers running them, so it's not just you. :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, January 07, 2005 17:22 To: Send - AD mailing list Subject: RE: [ActiveDir] Forest trusts vs trusts within forests Does nobody but me like or even prefer stub zones? ;-) -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Friday, January 07, 2005 5:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Forest trusts vs trusts within forests I'd say JFK jr. answered it between the lines ;-) Happy New Year John and all! A domain in a separate forest with a trust to another forest will be less risky than a domain within the same forest - esp. under the circumstances that Dave described (such as limited physical security in the remote offices). So without going in details, with the information given I'd say two forests + trusts is a valid choice. If you require Kerberos auth. between the two domains (in the two forests), then both would need to run 2003. Otherwise it'll be a NT4 style external trust using NTLM auth. Naturally you'll have a little more hassle with DNS, but the second domain/forest could certainly use a child zone of the existing forest (e.g. 1st-dommain = company.com, 2nd-domain = child.company.com) and will need to setup your zone transfers or forwarding appropriately (again something which is done more easily with Win2003's conditional forwarding...) /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Friday, January 07, 2005 11:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Forest trusts vs trusts within forests Out of curiosity, did you get your question answered? The original that I read was that you wanted to know if you had two separate forests with trusts, would that create the same risks as if they were in the same forest. I *think* I read that correctly. I think John had a lot of great information in there, but I got to the thread too late which makes it harder to read and tell what was said etc. Just curious mostly. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A Sent: Friday, January 07, 2005 3:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Forest trusts vs trusts within forests Thanks John. To answer your questions: 1) the topology is hub/spoke. I would put a couple DCs for the new forest in the hub location. 2) Regarding replication, most of these sites have few to no Exchange users - those that do use OWA. So, I'm not worried losing the common GC that a single forest provides. I'll need to work with the Exchange team to see if/how any future plans impact this assessment, of course. Bandwidth is not the issue for wanting to compartmentalize replication. It's more about having a r/w copy of the internal directory at all of these sites that have no use for it. 3) The applications would by and large be at the central location. Some could live in the second forest (see #1). I'm certain that the business will want some of these users to access some apps in the internal forest, though- hence the need to trust the new forest. I'm also sure that our support people will want the new forest to trust the internal forest to make it easier to support. There's no illusion on my part that any configuration gives me a 100% security guarantee - if there was, someone would have found it an all of us in info security would have to find real jobs! Thanks again for the insights. I truly appreciate getting a sanity check. Around my company I'm the one people go to for AD expertise, so when I need to bounce things off of people it's often on this list. Happy Friday! Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Reijnders Sent: Friday, January 07, 2005 10:36 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Forest trusts vs trusts within forests Hi David, Take 2 ;-). See inline comments for my ideas. 1) we have some remote sites with workstations that authenticate to the domain so they can be managed with GPOs and software distribution. They have no real need to access MS resources at the main site. In some cases, there are enough of these workstations to warrant a local DC. We don't want DCs for the one and only existing domain in some of these locations, because we can't always control physical access to them. An isolated forest (no trusts
RE: [ActiveDir] Forest trusts vs trusts within forests
In real life, you would also want to make use of SID filtering. http://www.microsoft.com/windows2000/techinfo/administration/security/si dfilter.asp While multiple forests will give you security advantages, it will also cause additional administrative overhead. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A Sent: Thursday, January 06, 2005 12:32 PM To: activedir@mail.activedir.org Subject: [ActiveDir] Forest trusts vs trusts within forests Happy New Year ! I'm having a design discussion with myself about adding a forest vs adding a domain to an existing forest. I understand about the automatic transitive trust between domains in a forest, and how it's possible for a clever domain admin in a subdomain to compromise the entire forest. What I'm shaky on is this: If you had two single-domain forests, and established trusts in both directions between them, do you have the same issues ? I would think not, because the configuration and schema NCs are not shared between them, but I'm looking for some confirmation on that. Also, since we're talking about two single-domain forests, I'm guessing that the 'forest trusts' available in W2K3 FFL don't really come into play here, correct ? In other words, getting the first domain to W2K3 FFL doesn't buy anything with respect to this trust ? Thanks, Dave List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Forest trusts vs trusts within forests
Separate forests should be well protected from each other, with the possible exception of the SID History exploit, which is prevented by enabling SID filtering, which I think is on by default now. -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A Sent: Thursday, January 06, 2005 1:32 PM To: activedir@mail.activedir.org Subject: [ActiveDir] Forest trusts vs trusts within forests Happy New Year ! I'm having a design discussion with myself about adding a forest vs adding a domain to an existing forest. I understand about the automatic transitive trust between domains in a forest, and how it's possible for a clever domain admin in a subdomain to compromise the entire forest. What I'm shaky on is this: If you had two single-domain forests, and established trusts in both directions between them, do you have the same issues ? I would think not, because the configuration and schema NCs are not shared between them, but I'm looking for some confirmation on that. Also, since we're talking about two single-domain forests, I'm guessing that the 'forest trusts' available in W2K3 FFL don't really come into play here, correct ? In other words, getting the first domain to W2K3 FFL doesn't buy anything with respect to this trust ? Thanks, Dave List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Forest trusts vs trusts within forests
Hi David, In addition to SID filtering, you can protect a trust between domains in two forests (either a forest trust or an external trust) by using selective authentication (SA). SA is sometimes called authentication firewall, and the idea is that only listed users can access only listed servers across the trust (in addition to traditional share and NTFS permissions). If the new domain creates a new forest, its domain admins are not subject to the Enterprise Admins of the existing forest. This may or may not be of relevance to you. I'm not sure if I understand your last question, but a forest trust is only possible, if both forest are on the WS2003 FFL. Yours, Sakari -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A Sent: Thursday, January 06, 2005 10:32 PM To: activedir@mail.activedir.org Subject: [ActiveDir] Forest trusts vs trusts within forests Happy New Year ! I'm having a design discussion with myself about adding a forest vs adding a domain to an existing forest. I understand about the automatic transitive trust between domains in a forest, and how it's possible for a clever domain admin in a subdomain to compromise the entire forest. What I'm shaky on is this: If you had two single-domain forests, and established trusts in both directions between them, do you have the same issues ? I would think not, because the configuration and schema NCs are not shared between them, but I'm looking for some confirmation on that. Also, since we're talking about two single-domain forests, I'm guessing that the 'forest trusts' available in W2K3 FFL don't really come into play here, correct ? In other words, getting the first domain to W2K3 FFL doesn't buy anything with respect to this trust ? Thanks, Dave List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Forest trusts vs trusts within forests
If both domains are single domain forests then a Forest trust isn't as big a deal since it's major selling point is that the trust is transitive. I suppose that you also would be able to use Kerberos for cross forest authentication, which is a nice feature that I don't believe is available in external trusts. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sakari Kouti Sent: Thursday, January 06, 2005 4:43 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Forest trusts vs trusts within forests Hi David, In addition to SID filtering, you can protect a trust between domains in two forests (either a forest trust or an external trust) by using selective authentication (SA). SA is sometimes called authentication firewall, and the idea is that only listed users can access only listed servers across the trust (in addition to traditional share and NTFS permissions). If the new domain creates a new forest, its domain admins are not subject to the Enterprise Admins of the existing forest. This may or may not be of relevance to you. I'm not sure if I understand your last question, but a forest trust is only possible, if both forest are on the WS2003 FFL. Yours, Sakari -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A Sent: Thursday, January 06, 2005 10:32 PM To: activedir@mail.activedir.org Subject: [ActiveDir] Forest trusts vs trusts within forests Happy New Year ! I'm having a design discussion with myself about adding a forest vs adding a domain to an existing forest. I understand about the automatic transitive trust between domains in a forest, and how it's possible for a clever domain admin in a subdomain to compromise the entire forest. What I'm shaky on is this: If you had two single-domain forests, and established trusts in both directions between them, do you have the same issues ? I would think not, because the configuration and schema NCs are not shared between them, but I'm looking for some confirmation on that. Also, since we're talking about two single-domain forests, I'm guessing that the 'forest trusts' available in W2K3 FFL don't really come into play here, correct ? In other words, getting the first domain to W2K3 FFL doesn't buy anything with respect to this trust ? Thanks, Dave List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Forest trusts vs trusts within forests
FWIW, White papers of relevance if you haven't seen them already. The first one will probably answer your questions. What's the underlying motivation for two forests?? Reading between the lines, it sounds like the trust issue may not be the real issue compared to some other service autonomy or data isolation political issue. Windows 2000/2003: Multiple Forests Considerations White Paper http://www.microsoft.com/downloads/details.aspx?FamilyID=b717bfcd-6c1c-4 af6-8b2c-b604e60067baDisplayLang=en Design Considerations for Delegation of Administration in Active Directory http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologie s/activedirectory/plan/addeladm.mspx Best Practices for Delegating Active Directory Administration http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technolog ies/directory/activedirectory/actdid1.mspx -Stuart Fuller -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A Sent: Thursday, January 06, 2005 1:32 PM To: activedir@mail.activedir.org Subject: [ActiveDir] Forest trusts vs trusts within forests Happy New Year ! I'm having a design discussion with myself about adding a forest vs adding a domain to an existing forest. I understand about the automatic transitive trust between domains in a forest, and how it's possible for a clever domain admin in a subdomain to compromise the entire forest. What I'm shaky on is this: If you had two single-domain forests, and established trusts in both directions between them, do you have the same issues ? I would think not, because the configuration and schema NCs are not shared between them, but I'm looking for some confirmation on that. Also, since we're talking about two single-domain forests, I'm guessing that the 'forest trusts' available in W2K3 FFL don't really come into play here, correct ? In other words, getting the first domain to W2K3 FFL doesn't buy anything with respect to this trust ? Thanks, Dave List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Forest trusts vs trusts within forests
by using selective authentication (SA). Which, in order words, means that SEPARATE FOREST does not in itself protect you from an internal "clever domain admin" in any of the domains/forest. Unless you go through the troubles SID filtering, SA, and other ACLing. And, even with all that in place, "a clever domain admin" will still be hard tokeep out, especially if the admin is clever, malicious and determined at the same time.This goes to show that you don't want to have any "clever domain admin" that you can not completely trust in any part of your infrastructure. This, to me, is your most basic and effective protection. Sincerely,Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP -Directory Services www.readymaids.com - we know ITwww.akomolafe.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Sakari KoutiSent: Thu 1/6/2005 1:42 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Forest trusts vs trusts within forests Hi David, In addition to SID filtering, you can protect a trust between domains in two forests (either a forest trust or an external trust) by using selective authentication (SA). SA is sometimes called authentication firewall, and the idea is that only listed users can access only listed servers across the trust (in addition to traditional share and NTFS permissions). If the new domain creates a new forest, its domain admins are not subject to the Enterprise Admins of the existing forest. This may or may not be of relevance to you. I'm not sure if I understand your last question, but a forest trust is only possible, if both forest are on the WS2003 FFL. Yours, Sakari -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A Sent: Thursday, January 06, 2005 10:32 PM To: activedir@mail.activedir.org Subject: [ActiveDir] Forest trusts vs trusts within forests Happy New Year ! I'm having a design discussion with myself about adding a forest vs adding a domain to an existing forest. I understand about the automatic transitive trust between domains in a forest, and how it's possible for a clever domain admin in a subdomain to compromise the entire forest. What I'm shaky on is this: If you had two single-domain forests, and established trusts in both directions between them, do you have the same issues ? I would think not, because the configuration and schema NCs are not shared between them, but I'm looking for some confirmation on that. Also, since we're talking about two single-domain forests, I'm guessing that the 'forest trusts' available in W2K3 FFL don't really come into play here, correct ? In other words, getting the first domain to W2K3 FFL doesn't buy anything with respect to this trust ? Thanks, Dave List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ smime.p7s Description: S/MIME cryptographic signature
RE: [ActiveDir] Forest trusts vs trusts within forests
Hear, hear! -gil From: [EMAIL PROTECTED] on behalf of Deji Akomolafe Sent: Thu 1/6/2005 8:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Forest trusts vs trusts within forests by using selective authentication (SA). Which, in order words, means that SEPARATE FOREST does not in itself protect you from an internal clever domain admin in any of the domains/forest. Unless you go through the troubles SID filtering, SA, and other ACLing. And, even with all that in place, a clever domain admin will still be hard to keep out, especially if the admin is clever, malicious and determined at the same time. This goes to show that you don't want to have any clever domain admin that you can not completely trust in any part of your infrastructure. This, to me, is your most basic and effective protection. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Sakari Kouti Sent: Thu 1/6/2005 1:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Forest trusts vs trusts within forests Hi David, In addition to SID filtering, you can protect a trust between domains in two forests (either a forest trust or an external trust) by using selective authentication (SA). SA is sometimes called authentication firewall, and the idea is that only listed users can access only listed servers across the trust (in addition to traditional share and NTFS permissions). If the new domain creates a new forest, its domain admins are not subject to the Enterprise Admins of the existing forest. This may or may not be of relevance to you. I'm not sure if I understand your last question, but a forest trust is only possible, if both forest are on the WS2003 FFL. Yours, Sakari -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A Sent: Thursday, January 06, 2005 10:32 PM To: activedir@mail.activedir.org Subject: [ActiveDir] Forest trusts vs trusts within forests Happy New Year ! I'm having a design discussion with myself about adding a forest vs adding a domain to an existing forest. I understand about the automatic transitive trust between domains in a forest, and how it's possible for a clever domain admin in a subdomain to compromise the entire forest. What I'm shaky on is this: If you had two single-domain forests, and established trusts in both directions between them, do you have the same issues ? I would think not, because the configuration and schema NCs are not shared between them, but I'm looking for some confirmation on that. Also, since we're talking about two single-domain forests, I'm guessing that the 'forest trusts' available in W2K3 FFL don't really come into play here, correct ? In other words, getting the first domain to W2K3 FFL doesn't buy anything with respect to this trust ? Thanks, Dave List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ winmail.dat
RE: [ActiveDir] Forest trusts vs trusts within forests
Title: Happy New Year to you as well! In order to make a good decision for yourself whether or not you can and need to protect yourself against clever DomaAdmins, Service Admins and/or people with physical access to your DC's some extra info: Ways to bypass standard security: - Add the Enterprise Admin SID to your token (ex in you SidHistory). This can be done by using a 'improved' version of kerberos.dll, which will add the enterpr adm sid to every service ticket. - You can modify the system software or Directory db to bypass sec checks by: o Changing the default sec.descriptor for an objclass o Add a user to the enterprise adm Univ.Group on a GC o Execute a logon script in a site GPO - Or schedule an AT job which runs under local system credentials. (Partial) solutions to these problems are: Delegation of control Physical protection of ALL DCs SID filtering (enabled by default) Pro active Monitoring (!) Multiple Forests (!!) Some benefits of W2K3 trusts: Transitive (not really a sexy feature in you 2 single dom forest design) You can use kerberos logon in stead of NTLM. You can use both implicit and explicit UPN logon over the trust Selective Authentication (which is disabled by default and applies to external, realm and forest trusts): This option provides a method that you can use to achieve better granularity for authentication requests that come across a trust. When you enable it, all authentication is examined on the service DC. The service DC verifies that the user is explicitly allowed to authenticate to the resource before allowing the authentication request through. Because of this, you need to specify which users who come across the trust can authenticate to which resources in the domain when you enable the SA option across a trust. You can do this if you set up the Allowed to Authenticate control access right on an object for that particular user or group from the other forest or domain. When a user authenticates across a trust with the SA option enabled, a special Other Organization SID is added to the user's authorization data. The presence of this SID triggers a verification on the service domain to ensure that the user is allowed to authenticate to the particular service. After the user is authenticated, the server to which the user authenticates adds another SID, the This Organization SID. You can disable the corresponding DomainInfo record for the domain or the TopLevelName record for the tree in the UI. This method is useful when only a small part (read domain) of the other forest is not trusted. Note that only authentication requests from users in that domain are disabled when you disable a DomainInfo record. When you disable a DomainInfo record, authentication requests are not disabled if those authentication requests are received from users who are in the local forest if those users want to gain access to resources that are in the disabled domain. This is not really applicable in your scenario. If you're going for the multiple forest scenario, consider the security benefits this will give you and compare them to the additional costs (extra hardware, no super GC is available by default unless you start using stuff like MIIS J, extra management, etc.). Let us know what you end up with and ... why ;-) Cheers, John Reijnders -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A Sent: donderdag 6 januari 2005 21:32 To: activedir@mail.activedir.org Subject: [ActiveDir] Forest trusts vs trusts within forests Happy New Year ! I'm having a design discussion with myself about adding a forest vs adding a domain to an existing forest. I understand about the automatic transitive trust between domains in a forest, and how it's possible for a clever domain admin in a subdomain to compromise the entire forest. What I'm shaky on is this: If you had two single-domain forests, and established trusts in both directions between them, do you have the same issues ? I would think not, because the configuration and schema NCs are not shared between them, but I'm looking for some confirmation on that. Also, since we're talking about two single-domain forests, I'm guessing that the 'forest trusts' available in W2K3 FFL don't really come into play here, correct ? In other words, getting the first domain to W2K3 FFL doesn't buy anything with respect to this trust ? Thanks, Dave List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete
