Presentation is loading. Please wait.

Presentation is loading. Please wait.

Windows Server 2003 建立網域間之信任關係

Published bySamuel Holt Modified over 9 years ago

Similar presentations

Presentation on theme: "Windows Server 2003 建立網域間之信任關係"— Presentation transcript:

1 Windows Server 2003 建立網域間之信任關係
林寶森

2 Trusting and Trusted Domains
Domain A Domain B Trust Resources Accounts

3 One-Way and Two-Way Trust
Resources Accounts Two-Way Trust Trust Resources/Accounts Resources/Accounts

4 Transitive vs. Non-Transitive Trust
B B A C A C

5 Types of Trusts Forest 1 Forest 2 Tree/Root Trust Forest Trust
Parent/Child Trust Forest (root) Forest (root) Domain D Domain E Domain A Domain B Domain P Domain Q Shortcut Trust Realm Trust External Trust Domain F Domain C Kerberos Realm

6 Trust Types Associated with Server Operating Systems
Between Windows Server 2003 forests Forest trusts, one-way or two-way external trusts Windows Server and Windows 2000 forests One-way or two-way external trusts Windows Server and Windows NT 4.0 forests One-way or two-way external trusts Windows Server 2003 and servers running other operating systems Realm trust

7 Verifying and Revoking Trusts
To verify and if necessary reset this trust relationship, click Verify. This is useful as a troubleshooting tool. Verify OK Cancel Apply contoso.msft Properties General nwtraders.msft Properties Trusts Managed By Domains that trust this domain: Domains trusted by this domain: Domain Name Relationship Tran… sales.contoso.msft marketing.contoso.ms contoso.msft Shortcut Tree Root Yes Add… Edit… Remove Verify a trust Revoke a trust Netdom Command Line NETDOM TRUST trusting_domain_name /Domain:trusted_domain_name /Verify NETDOM TRUST trusting_domain_name /Domain:trusted_domain_name /Remove

8 How to Prevent SID Spoofing Using SID Filtering
When a domain administrator from a trusted domain attaches a well-known security principal onto the SID of a privileged user account from the trusted domain SID spoofing Enables administrators to discard credentials that use SIDs that are likely candidates for spoofing SID filtering SID filtering must be disabled to allow migrated users and groups from other domains to access this domain’s resources by using SIDHistory Disabling SID filtering netdom trust <TrustingDomainName> /domain:<TrustedDomainName> /quarantine:No

9 How Name Suffix Conflicts Are Detected and Resolved
Name suffix conflicts occur when A DNS name is already in use A NetBIOS name is already in use A domain SID conflicts with another name suffix SID Name suffix conflicts in a domain cause access to that domain from outside the forest to be denied

10 Characteristic of Trusts
Parent/Child and Tree/Root Trust Created Automatically Two-Way Transitive by Default Shortcut Trust Intra-Forest Only Partially One-Way Transitive Forest Trust Windows 2003 Forest Only Realm Trust Trust Relationships with Other Operating Systems that also Support Kerberos Protocol One-Way Transitive or One-Way Non-Transitive Use Kerberos Authentication Only External Trust Trust Relationships with Windows Domains that are not in the same Forest Use NTLM Authentication Only

11 How NTLM Authentication Works
Client Domain Controller User Password Hash→Nonce 3 User Name, Domain 1 Nonce 2 4 User Password Hash 4 User Password Hash User Password Hash→Nonce 5 Security Accounts Database

12 How Kerberos Authentication Works
User Name TGT+Timestamp TGT+SA KAB KDC & TGS User Target Server The TGS creates a pair of tickets, one for the client and one for the server the client wants to access resources on. Each ticket contains the name of the user requesting the service, the recipient of the request, a timestamp that declares when the ticket was created, and a time duration that says how long the tickets are valid. Both tickets also contain a new key (KAB). The KDC looks up the user’s master key (KA), which is based on the user’s password. The KDC then creates two items, a session key (SA) to share with the user, and a Ticket Granting Ticket (TGT). The client computer now has a session key and a TGT. To access a resource, the client presents its TGT and a timestamp encrypted with the session key that is already shared with the KDC When a user enters a user name and password, the computer sends the user name to the Key Distribution Centre (KDC).

13 How Kerberos V5 Works Kerberos Authentication 3 2 4 1 5 Forest Root
contoso.msft Kerberos Authentication 3 Forest Root Domain KDC nwtraders.msft KDC Server KDC 2 4 KDC 1 5 Session Ticket marketing.contoso.msft Client sales.nwtraders.msft

14 How Trusts Work in a Forest
Forest Root Domain Tree One Tree Root Domain Domain 1 Shortcut Trust Domain A Domain 2 Tree Two Domain B Domain C

15 How Trusts Work Across Forests
nwtraders.msft Forest trust contoso.msft 6 Global catalog Global catalog 5 7 4 2 8 Seattle 3 9 1 Vancouver vancouver.nwtraders.msft seattle.contoso.msft

Download ppt "Windows Server 2003 建立網域間之信任關係"

Similar presentations

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Managing User, Computer and Group Accounts

Managing User, Computer and Group Accounts
Windows Server 2003 AD 安裝設定與管理維護 林寶森

Windows Server 2003 AD 安裝設定與管理維護 林寶森
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Windows Server 2003 使用者群組管理 林寶森

Windows Server 2003 使用者群組管理 林寶森
Auditing Active Directory Presented to the National State Auditors Association 2014 Information Technology Conference.

Auditing Active Directory Presented to the National State Auditors Association 2014 Information Technology Conference.
Kerberos Part 1 CNS 4650 Fall 2004 Rev. 2. The Name Greek Mythology Cerberus Gatekeeper of Hates Only allowed in dead Prevented dead from leaving Spelling.

Kerberos Part 1 CNS 4650 Fall 2004 Rev. 2. The Name Greek Mythology Cerberus Gatekeeper of Hates Only allowed in dead Prevented dead from leaving Spelling.
Module 4: Implementing User, Group, and Computer Accounts

Module 4: Implementing User, Group, and Computer Accounts
KerberSim CMPT 495 Fall 2004 Jerry Frederick. Project Goals Become familiar with Kerberos flow Create a simple Kerberos simulation.

KerberSim CMPT 495 Fall 2004 Jerry Frederick. Project Goals Become familiar with Kerberos flow Create a simple Kerberos simulation.
Chapter 4 Introduction to Active Directory and Account Management

Chapter 4 Introduction to Active Directory and Account Management
Introduction to Kerberos Kerberos and Domain Authentication.

Introduction to Kerberos Kerberos and Domain Authentication.
11 WORKING WITH COMPUTER ACCOUNTS Chapter 8. Chapter 8: WORKING WITH COMPUTER ACCOUNTS2 CHAPTER OVERVIEW Describe the process of adding a computer to.

11 WORKING WITH COMPUTER ACCOUNTS Chapter 8. Chapter 8: WORKING WITH COMPUTER ACCOUNTS2 CHAPTER OVERVIEW Describe the process of adding a computer to.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 3: Creating and Managing User Accounts.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 3: Creating and Managing User Accounts.
Windows Server 2003 使用者及電腦帳號管理 林寶森

Windows Server 2003 使用者及電腦帳號管理 林寶森
MCTS Guide to Configuring Microsoft Windows Server 2008 Active Directory Chapter 10: Configuring and Maintaining the Active Directory Infrastructure.

MCTS Guide to Configuring Microsoft Windows Server 2008 Active Directory Chapter 10: Configuring and Maintaining the Active Directory Infrastructure.
Chapter 4: Active Directory Design and Security Concepts

Chapter 4: Active Directory Design and Security Concepts
ADVANCED MICROSOFT ACTIVE DIRECTORY CONCEPTS

ADVANCED MICROSOFT ACTIVE DIRECTORY CONCEPTS
1 Week 10 – Manage Multiple Domains and Forest Configure Domain and Forest Functional Levels Manage Multiple Domains and Trust Relationships Active Directory.

1 Week 10 – Manage Multiple Domains and Forest Configure Domain and Forest Functional Levels Manage Multiple Domains and Trust Relationships Active Directory.
Chapter 4 Introduction to Active Directory and Account Management

Chapter 4 Introduction to Active Directory and Account Management

Similar presentations

Ads by Google