Example: Extending the Authentication Framework

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

An organization that is based on an Active Directory logical structure that includes four forests, forest A, forest B, forest C, and forest D, must extend its authentication framework in order to facilitate resource access for its clients in all locations. The organization needs to share resources with a Windows NT 4.0 domain, Domain E, and Kerberos clients running Unix in Unix realm F. Figure 14.7 shows the logical structure of the organization.

Figure 14.7   Organization Logical Structure

To enable the sharing of resources, administrators establish the following trust relationships:

• A forest trust between forests A and B

• External trusts from domains in forests A and B to domains in forests C, D, and E

• External trusts between domains in forests C, D, and E

• Realm trusts between all domains and realm F

The organization chooses to deploy smart cards to domain administrators, as these accounts are more sensitive to security attacks.

Figure 14.8 shows the worksheet that the organization created to document their extended authentication framework.

Figure 14.8   Example of an Extended Authentication Framework Worksheet