www.as.fora.pl

ddkity84

By : Zhui Meng
Submitted 2011-02-18 02:41:02 As an administrator, you must plan trust relationships to provide (http://www.mcitp-70-620.com) free 70-620 test questions users with the access to resources they require. When you add a Windows Server 2003 domain to an existing Windows Server 2003 forest, a tree-root or a parent-child trust is established automatically. Both of these trust relationships are two-way and transitive and are established at the time that the domain is created. Once established, these trust relationships do not need to be managed.
The four remaining types of trusts must be managed.
Accessing Resources Across Domains Joined by Shortcut Trust Using Active Directory Domains and Trusts,[link widoczny dla zalogowanych], you can determine the scope of authentication between two domains that are joined by a shortcut trust. You can set selective authentication differently for out-going and incoming shortcut trusts, which allows you to make flexible access control deci-sions between domains. You set selective authentication on the Outgoing Trust Authentication Level page when you set up a shortcut trust using the New Trust Wizard.
If you use domain-wide authentication on the incoming shortcut trust, users in the second domain have the same level of access to resources in the local domain as users who belong to the local domain. For example, if Domain A has an incoming shortcut trust from Domain B and domain-wide authentication is used,[link widoczny dla zalogowanych],[link widoczny dla zalogowanych], any user from Domain B can access any (http://www.mcitp-70-620.com) MCTS certification resource in Domain A (assuming the user has the required permissions).
If you set selective authentication on an incoming shortcut trust,[link widoczny dla zalogowanych], you need to manually assign permissions on each resource to which you want users in the second domain to have access. To do this, set an access control right Allowed To Authenticate on an object for that particular user or group from the second domain.
When a user authenticates across a trust with the Selective authentication option enabled, an Other Organization security ID (SID) is added to the user's authorization data. The presence of this SID prompts a check on the resource domain to ensure that the user is allowed to authenticate to the particular service. Once the user is authenticated, if the Other Organization SID is not already present, the server to which the user authenticates adds the This Organization SID. Only one of these special SIDs can be present in an authenticated user's context.
Administrators in each domain can add objects from one domain to access control lists (ACLs) on shared resources in the other domain. You can use the ACL editor to add or remove objects residing in one domain to ACLs on resources in the other domain. For more information about how to set permissions on resources, refer to Chapter 9, "Administering Active Directory Objects."
Requirements To create a shortcut trust, you must have Enterprise Admin or Domain Admin privileges in both domains within the forest. Each trust is assigned a password that must be known to the (http://www.examshots.com) free test questions administrators of both domains in the relationship.