Sams Teach Yourself MCSE Windows NT Server 4 in 14 Days
(Publisher: Macmillan Computer Publishing)
Author(s): David Schaer, et al
ISBN: 0672311283
Publication Date: 12/15/97

Synchronization traffic can quickly grow out of control on large networks, making the capability to control the process important. Controlling the process of synchronization becomes especially vital when it must occur over a slow WAN link, especially if that WAN link must also handle the traffic of user logons and pass-through authentications.

In addition to controlling synchronization using the registry parameters mentioned in Table 2.4, another useful technique is pausing the NetLogon service. While paused, synchronization can still occur but validation of logon requests and pass-through authentication does not.

Experiment with pausing the different services on your NT Server. Pausing different services causes different effects, some of which can be quite useful.

It is possible to request the synchronization between a single BDC and the PDC, as shown in Figure 2.12, by selecting the BDC in Server Manager and selecting the option to synchronize with the primary domain controller. You might choose to synchronize a single BDC if you have recently added several user accounts that will be validated by a specific server because of physical proximity. You might also do this if a WAN link has been down and the BDC on the other end must be brought up to date.

Figure 2.12.  Server Manager synchronizing a single BDC with the PDC.

Forcing synchronization between the PDC and BDCs only speeds up the process of what would occur automatically anyway. Force synchronization only when having the SAM databases updated immediately is necessary. Chapter 8, “Managing Network Resources,” takes a closer look at domain models and the controlling synchronization.

A request to synchronize the entire domain can also be performed through Server Manager as shown in Figure 2.13. The PDC must be the selected computer in order to synchronize the entire domain. Because synchronizing the entire domain can place high stress on the network it is better to synchronize only a specific BDC if it will be sufficient.

Figure 2.13.  Server Manager synchronizing the KNOWLEDGE domain.

2.7. Trust Relationships

Without a trust relationship, two domains, even if connected by physical medium, can have no regular communications. Trust relationships provide a secure channel for users and resources from different domains to interact.

A domain that trusts another domain is called a trusting domain; the domain being trusted is the trusted domain. The trusting domain is entrusting its resources to the users from the trusted domain. Diagrammatically, trusts are always defined by an arrow pointing from the trusting domain to the trusted domain (see Figure 2.14).

Figure 2.14.  Fargo trusts Chicago.

Trusts by themselves do not provide any permissions. The administrator of the trusting domain still controls access to resources. The administrator of a trusting domain can grant access to any user or group account in its own domain or to any global user or global group account in any domain that it trusts.

2.7.1. Implementing a Trust Relationship

Implementing and managing a trust relationship is a fairly simple task. The following are the requirements for a trust relationship:

•  The domains in the relationship must share a permanent connection.

•  The domains must also share a common networking protocol.

•  Only the PDCs of the domains can establish the trust.

•  Only members of the Administrators group can establish a trust.

Setting Trusts

The procedure for setting trusts is quite straightforward, but must be set up on both the PDC of the trusting domain and the PDC of the trusted domain. To establish a trust, use User Manager for Domains. Choose Trust Relationships from the Policies menu to bring up the Trust Relationships dialog box shown in Figure 2.15.

Figure 2.15.  Setting up trust relationships.

This dialog box enables you to choose what domains the PDC you are administering trusts, as well as which domains are permitted to trust it. To give permission to a domain to trust your domain, select the Add button next to the Trusting Domains window. Simply type the name of the domain to which you want to give the permission, as shown in Figure 2.16.

Note that you can also assign a password to this permission. This is not the same as the administrator’s logon password. It is simply a password protecting against an unauthorized link.

Figure 2.16.  Allowing other domains to trust your domain.

The procedure for choosing which domains your domain trusts is quite similar. From the Trust Relationships dialog box shown in Figure 2.15, select Add next to the Trusted Domains window to bring up the dialog box shown in Figure 2.17.

Figure 2.17.  Trusting other domains.

Simply enter the domain that you want to trust and a password, if there is one. If your domain is permitted to trust the domain you have entered, the relationship will be successfully established.

Which end of a trust relationship you set up first is not critical. It is usually better, however, to configure the trusted domain first. This way, the new trust relationship takes effect immediately. If the trusting domain is configured first, it can take up to 15 minutes before the trust relationship takes effect.

After you have established the trust relationship, global users and global groups from the trusted domain can be granted resource privileges or local group membership in the trusting domain.

Often, you will see a type of trust named a two-way trust, in which two domains trust one another. Two-way trusts are simply two separately established one-way trusts, and you would follow the procedure above to establish each trust.

Another important point to be aware of when planning trust relationships is that trusts are non-transitive. That is, the trusts do not flow through the network. Consider Figure 2.18. Domain A trusts Domain B. Domain B trusts Domain C. However, Domain A does not trust Domain C unless an additional trust relationship is established between Domains A and C.

Figure 2.18.  Trusts are non-transitive.