Summary
This article tells how to do Windows 2000 domain trust relationships in the environment in different forestry forests. The trust relationship is a bridge connected between the domain and the domain. When Test.com has established trust relationships with the DC2.COM domain, the two domains can not be managed by each other as needed, but also across network resources and printers such as network resources between different domains. Sharing and management. After building trust relationships between two domains, the Windows 2000 trust of different forests will be described in detail below.
table of Contents
Environmental Analysis
Domain Trust Relationship Overview
Configuring DNS
Test if DNS is working properly
Establish DC for two different woods
GUI adds trust relationship
Verification trust relationship
Reference Information
about the author
Environmental Analysis
The main domain controller called Test.com called NetitBoy.test.com (IP: 192.168.1.9/24), B Company is DC2.COM and the main domain controller is lvfan.dc2.com. Test.com (IP: 192.168.1.10/24) and DC2.COM are separate, one domain, respectively (that is, two domains that are two completely unrelated) are now to build trust relationships as shown in Figure 1. Now you want to implement the following features: Test.com users can access resources in DC2.com, and DC2.com users must access the resources of Test.com. Figure 1
"figure 1"
Domain Trust Relationship Overview
Active directory provides a trust relationship between domains to provide cross-domain security. When there is a trust relationship between domains, each domain authentication agency trusts all the authentication agencies of all other domains. If a user or Application is authenticated by a domain, all domains trusted this authentication domain agree with this model. A user in a trusted domain must be accessed accessed by the trust domain.
For example: The trust relationship with Figure 1 we can analyze the following three situations:
1, Test.com only trust the DC2. COM domain, then the user who can access the resources on Test.com in DC2.com, it can't.
2, DC2.COM domain only trust the Test.com domain, this is the user who can access the resources on DC2.com, which cannot be accessed.
3, Test.com and DC2.COM domains trust each other, now the users of both parties can access the other parties.
Because it is a domain of two different forests, they are unable to pass.
Configuring DNS
1, click Start> Settings> Control Panel> Add / Remove Programs> Add / Remove Windows Components> Network Services> Domain Name System> OK
2, click Start> Program> Administrative Tools> DNS
Click Right-click NetitBoy to appear "New Area"> Next> Standard Main Area> Next> Positive Search Zone> Next> Enter Test.com> Next> Next> Completion
Right click on the newly built Test.com> Properties> Allow Dynamic Updates> Select "Yes"> OK.
3. Establish a reverse search area
Click on the reverse search area> "New Area"> Next> Standard Main Area> Next> Network ID Enter: 192.168.1> Next> Next> Completion
Right click on the newly established 192.168.1.x.subnet> Properties> Allow Dynamic Updates> Select "Yes"> OK.
4. This step is to establish a DC after the DC. (note)
Click New Test.com Right click Properties> General> Change> Select: Active Directory Integrated Area> OK
Click the newly built 192.168.1.x.subnet Right click Properties> General> Change> Select: Active Directory Integrated Area> OK
At present, we have already configured a single DC DNS. Continue to configure the DNS standard auxiliary area! ! 5. Click New Positive Search Area Right-click Properties> New Area> Next> Standard Auxiliary Area> Name Enter: DC2.com> IP Address Enter: 192.168.1.10> Add> Next> Completion
Click on the newly built LVFAN.COM Right click Properties Select "Transfer from primary server" If you see Figure 2, you can press the F5 brush or click "from the primary server" to transfer the data from the primary server.
"figure 2"
6, online neighbor> Right click Properties> Network and dial-up connection network assumption to: NetitBoy> Click Right click Properties> Internet Protocol (TCP / IP)> Properties> First DNS Server Enter: 192.168.1.9
7, the DNS on the LVFAN is also the same configuration, the corresponding name is OK.
8, here our DNS is the real configuration.
Test if DNS is working properly
1. See if the data in the reverse area can be transmitted from the server.
2, with nslookup and ping commands.
This is the result of the test on the Netitboy computer, as shown in Figure 3
"image 3"
This is the result of the test on the LVFAN computer, as shown in Figure 4
"Figure 4"
Establish DC for two different woods
1 Enter the DCPROMO command in the run.
2 Next> New Domain Domain Controller> Next> Create a new domain catalog forest> Create a new domain directory forest> Enter a new domain DNS full name, we entered: Test.com> Next> Next> A prompt appears, whether to. > Next> Restart your computer immediately
3 There is another computer to enter DC2.com when it is created.
GUI adds trust relationship
1 Click Start> Programs> Administrative Tools> Active Directory Domain and Trust Relationship> Click Test.com Right click Properties> Trust. Figure 5
"Figure 5"
Note: Identification 1 Represents: The domain displayed is domain trusted for this domain.
Identification 2 indicates that the displayed domain is all domains trust this domain.
2 Click Add Red Box button to appear Figure 6
"Figure 6"
3 Click OK to appear Figure 7
"Figure 7"
In order to trust, there is no way, we must click "Yes". There is an administrator password to enter the trusted domain. Press to determine the following prompt window. Figure 8
"Figure 8"
4 Everyone pays attention, don't let him have a return of the mistake to scare, and there is nothing to continue the next step.
5 Do: Click Start> Programs> Administrative Tools> Active Directory Domain and Trust Relationship> Click DC2.com Right click Properties> Trust. Figure 9
"Figure 9"
6 Click Add Red Box button to display the dialog box, let's enter the TEST and username and the trust password, click OK. Surprise window chart 10.
"Figure 10"
7 Again to add trust relationship. The result of the result is an overview of the domain trust relationship, making mutual trust!
8 Take a look at the trust now
9 The trust of our trust has been done. Waiting for how to share resources.
Verification trust relationship
1. Use a graphical interface, click Start> Programs> Administrative Tools> Active Directory Domain and Trust Relationship> Click Test.com Right click Properties> Trust> Edit> Verification> Enter Administrator and Password> OK.
2. Use the nltest command in Windows 2000 Resource Kit to verify the relationship between domain trust.
See Figure 11 on the results on Test.com
"Figure 11"
The result on DC2.Com is shown in Figure 12
"Figure 12"
