MCITP Certificate Forest Schema Cross-forest Authentication

Author: carling | Posted: 24.01.2012

But if for some reason these two independent structures had to merge or needed com- plete access to each other?s resources, they could form a ?forestwide?trust. This means one forest would trust each other in its entirety, and each forest would be able to use the other?s authentication scheme.

In theory (and sometimes in practice), this is a good idea, because it really does ease the effort of having MCITP Administrator to administer two different structures. Effectively, they almost become one, because administrators can more easily de?ne trusts and access. However, most of the time, administrators require a ?ner-grained level of control. Thus, forests can also trust each other through the process of selective authentication.

In selective authentication, users are not allowed to authenticate to a speci?c domain controller unless an administrator has specifically authorized this. The usefulness of this is that it keeps users from wandering into places that they aren?t supposed to be and, well, messing things up. So, for instance, in our example, MyCorp could authenticate to Mega- Corp?s resources through a selective trust that allows users only in an individual domain (say Tokyo) to access resources in the MegaCorp forest. Otherwise, the users would be denied. By doing this, we tighten up security and make sure there aren?t any authentication leaks. It’s a good security practice and usually required by most enterprises.

Trusts are said to either be intraforest, meaning that the trust exists MCITP solely in its own self-contained forest, or interforest, meaning the trust extends between two different forests. Within an intraforest trust, you will normally see the following types of trusts being utilized:

Tree-root Parent-child

Shortcut

This is because, by default, a two-way transitive relationship exists between the tree and root and accordingly between parent-child domains. Shortcut trusts are most usually seen on the intraforest level because they can remove a burden from machines higher up in the forest structure and can instead invalidate each other. It’s like being in a classroom and giving two students permission to grade each other?s homework. It’s a shortcut, because they?ll get it done more quickly than you will, plus it removes a burden from the teacher.


About Author:
MCITP Certificate training is accessible accepted and is advised to adapt the apprentice for the acceptance exam. There is a accepted misconception, however, apropos A+ Acceptance training. Abounding ambitious techs appearance it as a basal training advance for beginners to the IA technology field.

Article was printed from http://www.articleside.com/business-articles/mcitp-certificate-forest-schema-cross-forest-authentication.htm
Click here to return original format