Information Technology Reference
In-Depth Information
6. Click
Start
, type
\\serverXX.w2k8adXX.com
, and press
Enter.
You should get an error mes-
sage similar to Figure 10-16 indicating that the machine you're logging on to is protected by
an authentication firewall. Click
OK
.
7. On
ServerXX
, open Active Directory Users and Computers. Click the
Domain Controllers
OU. Right-click
ServerXX
and click
Properties
.
8. Click the
Security
tab. Click
Add
to open the Select Users, Computers, and Groups dialog
box, and then click
Locations
. Click the
w2k8ad1XX.com
forest, and then click
OK
.
9. Type
Domain Admins
and click
Check Names
. All users who are members of the Domain
Admins group in the w2k8ad1XX.com domain are allowed to authenticate to ServerXX.
Click
OK
.
10. Make sure
Domain Admins (w2k8ad1XX\Domain Admins)
is selected at the top of the Security
tab, click the
Allowed to authenticate
check box in the Allow column, and then click
OK
.
11. On
Server1XX
, try again to access
\\serverXX.w2k8adXX.com
. You should be successful.
12. In case you want other users to be able to access resources on ServerXX from the
w2k8ad1XX.com domain, you should change the authentication type back to forest-wide
authentication. On
ServerXX
, open Active Directory Domains and Trusts. Right-click
w2k8adXX.com
and click
Properties
. Click the
Trusts
tab. Click
w2k8ad1XX.com
in the
top list box, and then click the
Properties
button. Click the
Authentication
tab, click the
Forest-wide authentication
option button, and then click
OK
twice.
13. Close all open windows on both servers, and stay logged on for the next activity.
SID Filtering
The “Active Directory Migration Tool” section explained that the sIDHistory
attribute is used when migrating accounts from one domain to another. This attribute can also
be used for nefarious purposes to gain administrative privileges in a trusting forest. Suppose
ForestA is trusted by ForestB. An administrator in ForestA can edit the sIDHistory attribute of
a user in ForestA to include the SID of a privileged account in ForestB. When this user logs on
to a domain in ForestB, he or she has the same access as the privileged account.
To counter this security risk, Windows provides a feature called
SID filtering
(also called SID
filter quarantining). SID filtering is enabled by default on external trusts but is disabled on forest
trusts. It causes the trusting domain to ignore any SIDs that aren't from the trusted domain.
Essentially, the trusting domain ignores the contents of the sIDHistory attribute. SID filtering
should be enabled or disabled from the trusting side of the domain and should be used only
between forests or with external domains. It shouldn't be used between domains in the same
forest because it would break Active Directory replication and automatic transitive trusts.
For Active Directory migration purposes, SID filtering can be disabled but should be reen-
abled after the migration. To disable SID filtering, use the following command:
10
netdom trust
TrustingDomainName
/domain:
TrustedDomainName
/quarantine:No
To enable SID filtering, simply change the No to Yes. To check the status of SID filtering,
omit the Yes or No at the end of the command.
You can view and clear the contents of sIDHistory in Attribute Editor and
ADSI Edit, but you can't add or change existing values. If you attempt to
do so, you get an access denied error.
Efficient and accurate replication of changes made to the Active Directory database is critical in
a Windows domain. In Chapter 4, you were introduced to intrasite and intersite replication. This
section expands on the concepts of intrasite replication, and the next section, “Understanding
and Configuring Sites,” discusses intersite replication in more detail.
Search WWH ::
Custom Search