다음을 통해 공유

Active Directory: Configuring 2 Separate Domains with Forest Trust in Virtual Test Environmnent

  • 아티클

What do we need?

  1. Virtual Machine Software that can run multiple operating systems over a single physical host computer
  2. A computer with 64-bit Processor that has Intel Virtualization capabilities to run the Virtual Machines
  3. 2 Domain Controller VMs setup and hosting their own Root Domain ex. DC-Alpha hosting Alpha.ca && DC-Beta hosting Beta.ca

This tutorial will cover using Windows Server 2008 R2 Enterprise as the OS
It will assume that you have an account called "GreatOne" with a password of "01GreatOne"
It will assume that you have the Administrator Account with a password of "01GreatOne"

On both Domain Controllers, If we need to change administrator password:
Right-click Computer > Manage > Configuration > Local Users And Groups > Users > Right click Administrator and choose Set Password -> Enter 01GreatOne

On both Domain Controllers, change IP Address to Static:

  1. Open cmd, type ipconfig
  2. Copy IPv4 Address and Subnet Mask
  3. Open Network and Sharing Center > Change Adapter Settings
  4. Right-click Adapter > Properties > TCP/IPv4 > Properties
  5. Select Use the following IP Address:
    • Copy over IP Address
    • Copy over Subnet Mask
  6. Hit OK

On both Domain Controllers, Install Roles:
Install Active Directory Domain Services, when done start dcpromo.exe

  1. Choose advanced settings
  2. Create a new domain in a new forest
  3. BIOS Name can be left as is
  4. Raise functionality level to 2008 R2
  5. Ensure DNS Server will be installed
  6. If prompted about "A delegation for this DNS server cannot be created" … that's because this is a root domain aka the Forest Domain … there's nothing higher it can resolve itself to be a subdomain of.  Click Yes.

    We will configure DNS stubs to allow communication between domains later on!
  7. Click next to keep default databases
  8. For password, enter 01GreatOne
  9. Install Active Directory Domain Services
  10. Once done, continue and restart the computer when prompted

Make Active Directory Changes:

Create shortcut on desktop:: Start > Admin Tools > Active Directory Users and Computers > Send to Desktop

Open AD Users and Computers

  • View > Click Advanced Features so it's checkmarked
  • Right Click on domain { Alpha.ca , Beta.ca } > Properties > Attribute Editor …. 
    • set pwdHistoryLength=0
    • set pwdProperties=0
  • Under Users OU, add account GreatOne to Domain Admins, also reset password and uncheck "user must change password" … then set the password to 01GreatOne

Create DNS entries to forward requests from one domain to another

If we do not allow the domain to be contacted through DNS, trying to create a forest trust will fail with:

Hint: If we try to ping the other domain, Alpha.ca / Beta.ca , it won't be able to find host.

While there are some tutorials out there for conditional forwarders, I prefer DNS stub zones, they offer a bit of automation by keeping the DNS pointer to another DNS server and then kept up to date through pull requests.

Do the following for both DC-Alpha and DC-Beta

  1. Start > Admin Tools > DNS
  2. In DNS Manager, Expand Domain, right-click Forward Lookup Zones
  3. Click New Zone, hit Next
  4. Select Option Stub zone… for our purposes, uncheck store the zone in AD, it is not needed
  5. For the Zone Name, Type in the other Domain (Alpha.ca, Beta.ca)
  6. Keep default file name, hit next
  7. Add in the IPv4 Address of the DNS Server in charge of that other domain
    • We can get IPv4 address on the virtual machine via cmd > ipconfig
  8. We can wait to ensure that it does find it and resolve it:
  9. Click Next and Finish
  10. We can now Ping the other domain successfully!
  11. HOWEVER, we need to allow each DNS server to allow Zone Transfers of its DNS (in case of updates!)
  12. Under Forward Lookup zones, Right Click Domain of current DNS Server
  13. Click Properties, click Tab "Zone Transfers"
  14. Checkmark Allow Zone Transfers and in this case, we are fine with "To Any Server"

CREATE FOREST TRUST

In this case, we will create a forest trust from DC-Alpha.

  1. Start > Admin Tools > Active Directory Domains and Trusts
  2. Now Right Click the Domain this Domain Controller is hosting
  3. Click Properties
  4. Click the Tab labelled Trusts
  5. Click the button "New Trust…"
  6. Type in the other domain: Beta.ca
  7. Click Next, we should now be able to see the Trust Type section, otherwise, doublecheck DNS entries
  8. Trust Type :: Choose Forest Trust
  9. Trust Direction :: Choose Two-way
  10. Trust Side :: Choose "Both this domain and specified domain"
  11. Enter UserName and Password of a Domain Admin for Beta.ca
    • GreatOne
    • 01GreatOne
  12. Beta.ca Trust Level :: Choose Forest-wide authentication
  13. Alpha.ca Trust Level :: Choose Forest-wide authentication
  14. At this point, confirm we are going to create the trust we wanted
    • This Domain: Alpha.ca
    • Specified domain: Beta.ca
    • Direction: Two-way
    • Trust Type: Forest trust
    • Transitive: Yes
    • Outgoing Trust: Forest-wide
    • Sides of Trust:: Create the Trust for Both
  15. Confirm it created the Trust Successfully!
  16. Confirm Outgoing Trust :: Select "Yes, confirm the outgoing trust"
  17. Confirm Incoming Trust :: Select "Yes, confirm the outgoing trust"
  18. Now Forest Trust is created between two separate Domains Alpha.ca and Beta.ca!
  19. Confirm on DC-Beta that it Trusts now show the following