Primary and Trusted Domains

  • Article
On This Page

Domains on Remote Systems
Convert a Windows 2000 Server to a Domain Controller
Create a new domain tree
Create a new child domain in an existing domain tree
Add a Domain Controller to an existing Domain
Configuring one-way nontransitive trusts

Domains on Remote Systems

The following terms describe domains that exist on remote systems.

Primary Domain: A Windows 2000 system's primary domain is the domain that is responsible for establishing further trust relationships and performing authentication (or for passing an authentication request on to an appropriate trusted domain). The domain controllers in the primary domain handle or pass along authentication requests that originate at the workstation.

When logon occurs, the LSA checks the built-in and account domains for authentication information. If the account being logged on to is not in either of these domains, the logon request is handed off to the systems primary domain.

Trusted Domain: A trusted domain is a domain that the local system trusts to authenticate users. In other words, if a user or application is authenticated by a trusted domain, this authentication is accepted by all domains that trust the authenticating domain.

On Windows 2000 systems, each child domain (a domain that is subordinate in a domain hierarchy) automatically has a two-way trust relationship with the parent. By default, this trust is transitive, meaning that if a system trusts Domain A, it also trusts all domains that Domain A trusts. Windows 2000 systems also support Windows NT 4.0–style, non-transitive, one-way trusts. This enables Windows 2000 systems to establish trust relationships with Windows NT 4.0 systems, which do not support transitive, two-way trusts.

The LSA has an object type, TrustedDomain, that is used to store information about trust relationships, including the name and security identifier (SID) of the trusted domain, the account in the domain to use for authentication requests, name and SID translation requests, and obtaining the names of domain controllers in the trusted domain.

On Windows 2000 systems the LSA creates an instance of a Trusted Domain object for each domain trusted by the local system. For example, if a Windows 2000 workstation trusts a Windows 2000 domain controller that in turn trusts four other systems, the workstation, (connected using transitive trust), will have five Trusted Domain objects on its local system.

Windows 2000 uses a "tree and forest" metaphor when describing domain relationships in the enterprise system. The domains in the enterprise can be grouped into trees. All domains within a tree automatically trust one another. Further, trees can be grouped into forests, and trusts automatically exist among all trees in a forest. If a domain in one forest establishes a trust with a domain in another forest, a trust is not automatically established with every domain in the forest, as interforest trusts are NTLM trusts - one way and nontransitive.

Convert a Windows 2000 Server to a Domain Controller

To configure a Domain Controller after a server installation has been completed and after either the One or more servers are already on my network or the I will configure this server later options have been selected during the installation, use the following procedures:

  1. Log on as an administrator (if not already logged on).

  2. If the Configure Your Server page is not open, click Start, point to Programs, point to Administrative Tools, and then click on Configure Your Server.

  3. From the left hand column of the Configure Your Server page, click Active Directory.

    Dd277420.w2kab168(en-us,TechNet.10).gif

  4. The Active Directory page will appear with important information about configuring Active Directory. Read the information and scroll down to the bottom of the page to click on the Start the Active Directory Wizard link.

    Dd277420.w2kab169(en-us,TechNet.10).gif

  5. The Active Directory Installation Wizard will appear. Click the Next button to continue.

    Dd277420.w2kab170(en-us,TechNet.10).gif

  6. Select whether the server will be a Domain Controller for a new Domain or whether it will be an additional Domain Controller within an existing Domain and click the Next button (be sure to read the warning message on selection of the later).

    Dd277420.w2kab171(en-us,TechNet.10).gif

  7. Follow all the subsequent instructions from the Active Directory Installation Wizard to complete the configuration of the Domain Controller.

Create a new domain tree

Follow these steps to create a new domain tree that is separate from any existing trees:

  1. Click Start, and then click Run.

  2. In the Run dialog box, in the Open box, type dcpromo, and then click OK.

  3. In the Active Directory Installation Wizard, click Next.

  4. In the Domain Controller Type dialog box, select Domain controller for a new domain, and then click Next.

  5. In the Create Tree or Child Domain dialog box, select the Create a new domain tree option, and then click Next.

  6. In the Create or Join a Forest dialog box, select one of the following options:

    Select this

    To do this

    Create a new forest of domain trees

    Select this option if this is the first domain in the organization, or if the new domain it to be completely independent.

    Place this new domain tree in an existing forest

    Select this option if users in the new domain are to have access to resources in existing domain trees and vice versa.

  7. Click Next.

  8. If the Create a new forest of domain trees option is selected, type the full Domain Name System (DNS) name for the new domain in the New Domain Name dialog box.

  9. In the NetBIOS Domain Name dialog box, type the name that users of earlier versions of Microsoft Windows will use to identify the domain. It is recommended that the default be accepted, which is a shortened version of the full DNS name. Click Next.

  10. In the Database and Log Locations dialog box, accept the default settings. Click Next.

  11. In the Shared System Volume dialog box, accept the defaults setting. Click Next.

  12. If DNS is not installed on the computer, there will be a prompt to install it. Select Yes, install and configure DNS on this computer, and then click Next.

  13. In the Permissions dialog box, select the Permissions compatible only with Windows 2000 servers option, and then click Next.

  14. In the Directory Services Restore Mode Administrator Password dialog box, do the following:

    Use this

    To do this

    Password

    Type the password that is to be assigned to the Administrator account for the server.

    Confirm password

    Type the password again to confirm it.

  15. In the Summary dialog box, review the options selected to ensure the Active Directory configuration is correct. If it is, click Next, or to reconfigure selections, click Back.

  16. The Configuring Active Directory dialog box appears, stating that the Active Directory configuration is being installed on the computer.

  17. In the Completing the Active Directory Installation Wizard dialog box, click Finish.

Create a new child domain in an existing domain tree

Follow these steps to create a new domain that is to be a child of an existing domain:

  1. Click Start, and then click Run.

  2. In the Run dialog box, in the Open box, type dcpromo, and then click OK.

  3. In the Active Directory Installation Wizard, click Next.

  4. In the Domain Controller Type dialog box, select Domain controller for a new domain, and then click Next.

  5. In the Create Tree or Child Domain dialog box, select the Create a new child domain in an existing domain tree option, and then click Next.

  6. In the Network Credentials dialog box, type the user name of a domain administrator, the password, and the name of the domain, and then click Next.

  7. In the Child Domain Installation dialog box, do the following:

    Use this

    To do this

    Parent domain

    Type the parent domain name.

    Child domain

    Type the child domain name.

  8. Click Next.

  9. In the Domain NetBIOS name box, type the name that users of earlier versions of Microsoft Windows will use to identify the domain. It is recommended that the default be accepted, which is a shortened version of the full DNS name. Click Next.

  10. In the Database and Log Locations dialog box, accept the default settings.

  11. In the Shared System Volume dialog box, accept the default settings.

  12. If DNS is not installed on the computer, there will be a prompt to install it. Select Yes, install and configure DNS on this computer, and then click Next.

  13. In the Permissions dialog box, select the Permissions compatible only with Windows 2000 servers option, and then click Next.

  14. In the Directory Services Restore Mode Administrator Password dialog box, do the following:

    Use this

    To do this

    Password

    Type the password that is to be assigned to the Administrator account for the server.

    Confirm password

    Type the password again to confirm it.

  15. The Configuring Active Directory dialog box appears, stating that the Active Directory configuration is being installed on the computer.

  16. In the Completing the Active Directory Installation Wizard dialog box, click Finish.

Add a Domain Controller to an existing Domain

After creating multiple domain controllers, the Active Directory will automatically replicate directory information between them. If a domain controller becomes unavailable, directory information is still available through the other domain controllers.

Follow these steps to add an additional domain controller to an existing domain:

  1. Click Start, and then click Run.

  2. In the Run dialog box, in the Open box, type dcpromo, and then click OK. The Active Directory Installation Wizard will appear. Click Next to continue.

    Dd277420.w2kab172(en-us,TechNet.10).gif

  3. In the Domain Controller Type dialog box, select Additional domain controller for an existing domain. This creates the domain controller as a replication partner. Click Next to continue.

  4. In the Network Credentials dialog box, type the user name of a domain administrator, the password, and the name of the domain, and then click Next.

  5. In the Additional Domain Controller dialog box, enter the name of the domain for which the server will become an additional domain controller. The Browse button may be used to search for the domain. Click Next to continue.

  6. In the Database and Log Location dialog box, accept the defaults, and then click Next.

  7. In the Shared System Volume dialog box accept the defaults, and then click Next.

  8. In the Directory Services Restore Mode Administrator Password dialog box, leave the boxes blank, and then click Next.

  9. In the Summary dialog box, click Next.

  10. When the Completing Active Directory dialog box appears, click Finish, and then restart the computer.

Configuring one-way nontransitive trusts

Explicit trusts are trust relationships that are created by administrators, as opposed to trusts created automatically during installation of a domain controller. Explicit trusts are created and managed using Active Directory Domains and Trusts.

There may be times when explicit trust relationships need to be created between domains. One example is when domains in disparate forests need to trust one another. An administrator of a domain can accomplish this by setting up a nontransitive, or one-way, trust with another domain. A nontransitive trust is bounded by the two domains in the trust relationship and does not flow to any other domains in the forest. Remember that the trust being established makes a domain the "trusting" domain. That means that another domain is being chosen to trust. It does not mean that the other domain will agree with the trust. (The administrator of the other domain has to follow the same procedures.)

Follow these steps to initiate a one-way trust:

  1. From a domain controller on the trusted domain, start the Active Directory Domains and Trusts snap-in.

  2. Right click on the domain object and select Properties.

  3. Click the Trusts tab.

    Dd277420.w2kab173(en-us,TechNet.10).gif

  4. In the Domains that trust this domain pane, click Add.

  5. In the Add Trusting Domain dialog box, type the name of the trusting domain, type a password, and then type the password again in the Confirm password box.

    w2kab174

  6. Click OK.

  7. In the Active Directory dialog box, click OK to verify the trust.

  8. Enter a user name and password of a user that has permissions to modify trust relationships in the trusting domain. There will be a message that states that the trusting domain has been added and the trust verified.

  9. Quit the Active Directory Domains and Trusts console.

  10. On a domain controller in the trusting domain, start the Active Directory Domains and Trusts console.

  11. Right-click the trusting domain and click Properties.

  12. In the Domains trusted by this domain box, click Add.

  13. In the Add Trusted Domain dialog box, type the name of the trusted domain and a password, and then type the password again in the Confirm Password dialog box.

  14. Click OK.