Active Directory Domain Services
Applies to: Office 365
Topic Last Modified: 2014-01-03
Active Directory Domain Services (AD DS) provide secure, structured, hierarchical data storage for objects in a network, such as users, computers, printers, and services. The hierarchical containment structure includes the Active Directory forest, domains in the forest, and organizational units (OUs) in each domain. A server that is running AD DS is called a domain controller. Specific communication protocols are utilized between domain controllers in an AD DS environment. Specific levels of trust also must be established between forests in your on-premises environment and Office 365 environments.
The Active Directory architecture for Office 365 Dedicated plans consists of three types of Active Directory forests: Customer Forests, Microsoft Managed Forests, and Microsoft Management Forests.
The Customer Forest refers to one or more Active Directory forests and domains that exist in your environment. The Customer Forest contains identity objects including user objects that can be provisioned to use Office 365 services. Your organization chooses and configures the scope of users that will be provisioned for services.
The Customer Forest includes domain controllers dedicated to servicing authentication requests generated by an Office 365 service. The functional level for all your Active Directory forests and domains must be Windows Server 2003 or higher. The Customer Forest may contain your user accounts, contacts, security groups, and distribution groups. You own, manage, and maintain the Customer Forest. Microsoft operations personnel do not have access to the Customer Forest unless you have provided test accounts within the forest.
Microsoft Managed Forest
The Microsoft Managed Forest is a single Active Directory forest that is used by Microsoft to deploy and deliver Office 365 services to your organization. The Managed Forest resides within the Microsoft network and is completely managed by Microsoft.
When your organization subscribes to Office 365, you are provided with your own Managed Forest. The Managed Forest contains Active Directory objects such as users, groups, and contacts. Each user has a user account enabled for email in the Managed Forest that is disabled for logon. This user account is provisioned for Exchange Online and Lync Online services.
Microsoft Management Forest
Microsoft Management Forests are single-domain forests that contain user accounts and security groups that are required for administration of the Microsoft managed environments. Multiple Management Forests exist to fulfill operational and security requirements. Microsoft operates Management Forests for organizations subscribed to Office 365 Dedicated plans and another separate Management Forest for organizations subscribed to Office 365 Dedicated plans that support U.S. International Traffic in Arms Regulations (ITAR). Only qualified Microsoft personnel can access the Management Forests; your organization has no access to them.
Office 365 administrators must sign in to the Management Forest to gain access to the Microsoft Managed Forest. Microsoft personnel without credentials to access the Management Forest cannot access the Managed Forest. This policy enhances security for the customer accounts that are contained in the Managed Forest.
An Active Directory trust is required to enable authentication between your Customer Forest (and any domains) and the Microsoft Managed Forest. The trust serves as the authentication pipeline that allows users in a domain to access Office 365 resources (such as a mailbox or SharePoint data) in a Microsoft Managed Forest.
Active Directory trusts are implemented between the Microsoft Managed Forest and the Customer Forest. This enables the single sign-on authentication feature of Office 365. Additional information regarding the creation and management of trusts can be found in Active Directory Domains and Trusts.
Microsoft determines the Active Directory trust type to use between your organization and the Microsoft managed environment based on an assessment questionnaire that you complete and information that Microsoft collects from you during deployment planning. The following trust configurations are permitted:
One-way forest trust. Your organization is typically required to implement a one-way forest trust in which the Microsoft Managed Forest trusts the Customer Forest. Forest trusts provide support for the Kerberos authentication protocol and for logging into Office 365 services using alternate user principal name (UPN) suffixes. They also support the use of universal security groups in the Customer Forest that are included on access control lists (ACLs) for resources in the Microsoft Managed Forest.
Two-way forest trust with selective authentication enabled. This type of trust is only implemented when specific service features are enabled such as Active Directory Rights Management Services (AD RMS) and two-factor authentication with Personal Identity Verification (PIV) cards. For more information, see the Use of Selective Authentication with Two-Way Trusts Only section that follows.
Use of Selective Authentication with Two-Way Trusts Only
Your organization should enable the selective authentication security setting on all two-way trusts from the Customer Forest to the Microsoft Managed Forest. A trust provides a pathway for all authentication requests between the forests. Selective authentication provides Active Directory administrators for the Customer Forest more control over which Microsoft Managed Forest users can access shared resources in the Customer Forest. The increased control is especially important when administrators need to grant access to shared resources in the Customer Forest to a limited set of Office 365 users from the Microsoft Managed Forest. For more information on selective authentication, see Security Considerations for Trusts.
Your Office 365 users are authenticated by domain controllers in your environment. These Office 365 domain controllers participate in the authentication process by issuing either Kerberos referrals and tickets for applications using the Kerberos protocol or by passing through authentication requests to your domain controllers for applications using the NTLM protocol.
Microsoft does not enforce the use of any one authentication protocol on its domain controllers. The configuration of each Office 365 application influences which protocol is used. In practice, both the Kerberos version 5 and NTLM (versions 1 and 2) protocols are available and used in Office 365 Dedicated plans. The Active Directory architecture is optimized for both protocols. For additional overview information for each protocol, see NTLM Overview and Kerberos Authentication Overview.
Configure the trust in the Microsoft Managed Forest.
Configure the trust in the Customer Forest.
NAT connection restrictions. Microsoft does not support the implementation of network address translation (NAT) technology between your domain controllers and Microsoft domain controllers. Implementing NAT systems requires a highly specific configuration that is dependent on the networking products used. Even if successfully deployed, NAT systems and devices pose operational risks. They require that you change your NAT configuration when Microsoft modifies its domain controller deployments. Without NAT reconfiguration, Microsoft authentication to the Customer Forest can fail.