Sams Teach Yourself MCSE Windows NT Server 4 in 14 Days
(Publisher: Macmillan Computer Publishing)
Author(s): David Schaer, et al
ISBN: 0672311283
Publication Date: 12/15/97

Be careful about this when you are taking the exam. Often a situation will be presented that looks great in other ways (for example, user account and groups are handled appropriately, permissions are assigned, and trusts look right), but a user should not be able to access a resource because the domain in which her user account is located is not directly trusted by the resource domain.

Group Strategies

The strategy for using users and groups in a multiple domain environment is essentially the same as in a single domain environment. User accounts should be placed into appropriate global groups in the trusted domain. These global groups should then be placed into local groups in the trusting domain. You should then assign these local groups the permissions to use the appropriate resources. Remember, only global should cross trust relationships. They serve as the vehicle that carries user accounts across the trust.

Technically, it is possible to grant a user account from a trusted domain membership in a local group of a trusting domain. However, putting the users in global groups then granting the global groups the appropriate memberships in local groups is a better long-term methodology.

Remember that local groups cannot cross trusts. There are several questions on the exam where this knowledge is essential.

This strategy is built into the function of Windows NT. For example, when a user account is created on a PDC, that account is automatically made a member of the Domain Users global group. This Domain Users global group is, by default, a member of the local group Users. This means that any new user account created is automatically made a member of the local Users group. Many of the built-in global and local groups in Windows NT exhibit this functionality.

The basic group strategy can be summed up by the acronym AGLP: put user Accounts into Global groups, which should go into Local groups, and assign these Permissions. Many of the questions on the exams will test your knowledge of this procedure in different ways.

Interestingly, the relationships between the computers themselves within a domain are trust relationships. Windows NT computers participating in the domain trust the domain controllers. Because all users and global groups are managed on the PDC, these can cross the trust relationships to be placed into the local groups on the client computers.

Managing Trusts

Administration of a trust account is really limited to the establishment of the trust. There are, however, situations in which a trust relationship can fail. The primary domain controllers maintain the trust. If one of the PDCs is unavailable, the trust will be broken. A PDC might become unavailable when there is a break in the physical network infrastructure, when the PDC is brought down for maintenance, or when the domain is renamed. The only effective way to repair a broken trust is to complete the break on both ends and re-establish it.

The NT 4.0 Resource Kit includes a utility called Domain Monitor, which can confirm the status of trust relationships.

2.7.2. Trusts and Security

The trust relationships themselves do not imply any specific rights. When a trust relationship is established between domains, the administrator of the trusting domain can grant access to its resources to global users and global group accounts from the trusted domain. Unless rights are granted there will be no specific rights.

When a user who is logged on with an account from the trusted domain attempts to access a resource in the trusting domain, the trusting domain passes the supplied logon credentials to the PDC in the trusted domain for verification. Even after the account is validated, the actual rights are dependent on those that have been assigned by the administrator of the trusting domain.

If part of a question on the exam states that a user cannot access a resource across a trust, go back to the basics. Make sure that the trust is established in the right direction. The trusting domain should contain the resource, and the trusted domain should contain the user. Keep in mind that trusts are non-transitive. If all this is correct, check the group assignments. The user should be put into a global group in the trusted domain. That group should be put into a local group in the trusting domain. The local group should be assigned permissions to access the resource. This basic guide will be useful to you on almost every question on the test that involves trusts—and that is most of them!

2.8. Domain Models

Proper use of trust relationships enables you to construct a network of almost any size that still maintains the single logon capability. There are various constructs of domain/trust interaction, known as domain models. Microsoft defines four basic types of domain models:

•  Single domain model

•  Single master domain model

•  Multiple master domain model

•  Complete trust model

2.8.1. Single Domain

The single domain model is a network consisting of only one domain. This is the model that is used mainly in small to medium-sized networks. With only one domain, user accounts and resources are centralized, and administration is a fairly simple task (see Figure 2.19).

Figure 2.19.  A single domain model.