Microsoft Azure AZ-800 — Section 4: Configure and manage multi-site, multi-domain, and multi-forest environments

Microsoft Azure AZ-800 — Section 4: Configure and manage multi-site, multi-domain, and multi-forest environments

31. Visualizing forest and domain trusts

I want to spend some time now helping you understand the concept of domains and forest trust relationships. It’s also, Important. Before we begin that, you make sure you watch the video where I explain the visualizing of domains, trees and force, which is kind of where this initial diagram came from.

So, if you have an Ori watch that, make sure you watch it, it’s earlier in the course.

So to help you understand trust relationships, let’s first talk about the point of trust relationships. A trust relationship is a connection between your domains that allows them to share resources to communicate with each other and share resources, in other words, for example, if I have a. Client computer, you know, here in the exam, domain in that client computer would like to access this server over in Scotland. There’s got to be a trust relationship to make that happen.

OK, now there are various types of trust relationships. When you set up a domain as part of a forest, there is an automatic trust relationship that gets built between your domains called a two way transitive trust.

OK, two way transitive trust. And that’s what these lines here are are going to represent some people. When they draw trust relationships, they will generally they will generally use a straight line, or sometimes they’ll use an arrow that faces both direction.

OK, that is a two way transitive trust. What you’re seeing right there? OK? Two way means that it goes both ways. That means that I could have. A server in exam, lab practicum and a client in Scotland or vice versa.

So the Scotland client could technically get to the server up in exam, lab practice, exam or practice person. Get down to the server in Scotland if you’ve got these trust relationships set up now. The other thing is that it is it is transitive.

So what does transitive mean? Transitive means it follows through.

So because has a transit trust relationship with the UK dot exam, lab practice, .com and UK dot has a trust relationship with Scotland will therefore exam I practice in Scotland, trust each other. That means it follows through. In other words, if a trust B and B or C, then And B automatically trust each other.

OK, now that’s automatic. When you join domains to a force, they’re going to automatically do that now and are another option for this you can configure. What are known as? Directional one way. Directional trust, OK? One way directional trust and the one way directional trust, what that’s going to basically do is it’s only going to go one direction. All right.

So one one direction, it’s not going to go both directions. Let’s kind of let’s expand this a little bit, and I’ll kind of zoom in on to give you a better understanding of what I’m saying.

So, if I had, let’s just say I had two domains, OK, let’s say you have Domain A.. All right. Then you have Domain B. All right.

So let’s add another triangle domain a domain b, OK. And you don’t have a two way transit, a trust set up between the two domains or any of that right now. And you want to share resources between these two, the two domains. I could actually do that if I had, let’s say I have a client computers and domain A. that want to access servers in Domain B instead of doing a two way transit is like that. I could actually do a one way directional.

OK. And the trick to this, and usually when people represent a one way directional trust, they’ll use an arrow instead of a straight line. I would need to make it work domain a trust domain B in order to do that.

So, instead of a straight line, I’m going to draw an arrow.

Now, the confusing thing to people when they use the arrows is they think in their head that the arrow is supposed to represent who’s connecting to who know. The arrow is specifying who is trusting who.

So Domain B is trusting Domain A, which means Domain A’s clients could technically get to the server end domain, be in access resources. But when it’s a when is a one way, when it’s a one way directional, OK, it’s that basically means. That that Domain B’s clients would not be allowed to get to a server in Domain A..

So, in other words, this guy right here, this client machine would not be able to access that server that you see right there. It’s one way. It’s a one way directional trust.

OK, so your two main kinds of trust. Are these two right here? OK? Two way transitive, which goes both way and it follows through or one way directional trust.

OK, now there is also something referred to as a shortcut trust, but I’d like to tell you a little bit about OK, a shortcut trust.

Now a shortcut trust is going to be used when you have two domains that are trained to have transitive trust, but it’s the communication is being slowed down because of how slow the trust relationships are. Let me give you an example.

OK, let’s say that we have some client computers in Japan and some servers in Japan and some client computers in Australiand some servers in Australia.

Now, let’s say that at our at our companies here, Japan and Australia, those two domains are going to be working on a big project together, and they got to constantly communicate between their servers and clients.

Now, currently, with the way things are right now, the client computers in Japan and the client computers in Australia will be able to communicate with each other.

OK. But it’s going to be a little bit sluggish.

OK, so, Imagine you get users that are complaining. This like an exam concept here. Your users are complaining that when they connect from Japan to Australia, Australia, Japan, the initial authentication connection is really slow. Once the connection gets esTablished, it’s fast, but the connection is really slow.

So that tells you a couple of things. Number one, it tells you that there is connectivity between the two domains. The problem is the initial connection is slow. Let me tell you why that is. It’s because of the transit of trust.

So what’s happening is, is the machines are having to authenticate using the Kerberos protocol and Japan is having to authenticate first with exam lab practice. Then it’s having to authenticate with this other domain name. Prepare for exams now and then. Finally, it’s authenticating with Australiand same things happened between Australiand Japan. It’s seven authenticate like this, and it’s really slow.

So what you can do is you could esTablish either a two way transit or a one way directional. I’m going to do a two way. All right.

So, I’m going to draw a straight line and that is called a shortcut trust. And really all it is just a transitive.

OK, let me actually. Move this over just a little bit. You know what, let’s let’s just fix this real quick. I’m going to move the Japan name just a little bit out of the way. All right, now we’ll draw the line.

So then we’ll make our shortcut trust between these two domains.

Now, when you do that shortcut trust like that, they can now authenticate each other directly. There’s no more having to connect up across and down. They can authenticate directly. And so that’s going to speed things up. All right.

Now, the final Typekit Trust relationship that I want to tell you about is called a realm I trust. This spelled r e alaim trust. And the main thing to remember about this going to be a Unix slash Linux realm.

So Unix and Linux can also support. Heroes, which is the security protocol that Windows machines use for authentication, and so you can set up what is known as a call this a Unix realm, Unix slash Linux realm, you got Unix Linux servers, perhaps in there that are in this in this Unix or Linux realm, maybe you’ve got some will say some. Here’s the servers right here. You can actually esTablish a either the two way transitive or the one way with that as well, and you can allow resources to be shared with that Unix environment.

So that is called a realm trust not used too often, but it is something that you can use to make it easier to authenticate and share resources between the Unix world and the Active Directory world.

OK, the final thing that I want to get across to you here, I’m going to kind of back up a little bit. I want to talk about what a forest trust is now and that software all the Forest Trust is. I’m going to get rid of this little line here. You might remember this a little bit from the earlier video, but I want to kind of reiterated a forest trust is a trust that is going to be set up when you have a different forest that needs to be linked with your forest.

So, we’re going to pretend for a moment that, it’s its own company. And there’s another company called Prepare for exams now, .com, and they are linking up together.

OK, so, Imagine that scenario where exam land practice .com prepare for exams now .com. There are two different companies. Maybe, maybe it’s a merger or maybe exam. is partnering up or merging with prepares for exam now .com and they have their own forest it’s already set up. Could have been set up years ago and we want to share resources with their forest.

OK. All right.

So the only thing we need to really keep in mind there, we need to make sure that our DNS and their DNS can see each other. We have to have some kind of a connection so that we can see each other, some kind of when connection or a VPN connection connecting us together, something like that. From there, we can actually set up a two way transit of trust if we want or even a one way if we want. And that is going to be called a forest trust.

OK. A forest trust is set up between two forests. All right.

So you really don’t have one forest here, you have to forest this a forest at this point, this a forest at that point. But the benefit is we can share resources together.

OK. Between these two forests? All right.


So hopefully that gives you now a better understanding of trust relationships in domains and forest.

32. Configure and manage forest and domain trusts

All right, I’d like to now show you the concept of where we go to set up in manage trust relationships, so here we are on NYC DC one. I’m going to click start. I’m going to go to server manager now. All right. And from there, we’re going to wait on this little blue bar to quit spinning here, which indicates that server manager is ready, which it is. I’m going to go to the tools menu and we’re going to go to Active Directory domains and trust.

So this the tool that you would use to set up trust relationships.

Now, before setting up trust relationships, I’d like to remind you it’s very important that the domain controllers that are communicating with each other that they can have, they do have connectivity.

So, if you’re setting this up, you want to make sure there’s connectivity between your environment and their environment that might involve having a way in connection that set up with this other location or this other server might have a VPN, or if the domain is on the same network, then you’re pretty good to go from there. But you got to make sure they can see each other. Another thing you got to do is you’ve got to make sure that DNS can communicate properly.

So, for example. If I was going to set up a scenario kind of like this right here and I wanted exam land practice .com to see prepare for exams now, not come, I would need to make sure that the DNS on both sides can see each other.

OK, so to do that, I would go to ols and server manager. I’d go to dance. And there’s a couple of ways we could go about doing this. But one of the simplest ways we can go about doing this to enable something called conditional forwarding. If we click on in my CDK1, we’ve got a thing called forwarders and we got something called conditional folders. We want to use conditional orders, So, we’re going to go right there. We’re going to right click and say conditional. And we’re going to put in the name of the domain. We want to communicate with the DNS or we need to know the IP address of their DNS server in that domain.


So, if it’s prepare for exams now, .com, we’re going to put that in. Prepare for exams now, .com, and we’re going to put in the IP address of that server, whatever it is. And I’m just going to, you know, it’s going to make something up like 192, 168, 5.9 or something. And I just made that up. I don’t really have a DNS server out there, but it would communicate with that and you’d get a validated message now you need to go to the other side and the prepares for exam exams now, .com that domain, they would have to actually point to our DNS server, so, we need to look up our DNS server to do that.

OK? So DNS must must be communicating first. Conditional forwarding is going to make it where any time we query for something that’s prepare for exams now, .com, it’s going to send to their DNS server. And then we do the same thing on their end. When they query, it’s going to query our DNS server. And so that’s what forwarding conditional forwarding is going to do.

So that’s a really, really awesome way to handle that problem.


So then once you’ve done that, you can go to Active Directory domains and trust. You can right click your domain exam, lab practice, .com. For me, go to properties and you’ll see a Tab called Trust. From there, you have two boxes.

OK. The first says domains trusted by this domain, outgoing trust trust and this outgoing and then trusting is incoming.

OK. There’s old saying people would use a trust. The Trust ED is on the end of the Arrow head if you’re using arrows.

So, if you go back to, you know, this example here, more domain a b you want domain b to trust domain AA you have the ad is on the end of the arrowhead and this the trust ing domain.

So you have to think about that because you have to set it up on both sides. You have to know which domain is the is the trust ed domain in which domain is the trust ing domain? OK. All right.

So, if we jump back over now, OK, we would click on New Trust. We would specified. Click next. We’d specify the name of that other domain.


So, in our case, if were doing this with prepare for exams now, .com, then we would put that in there. We put prepare for exams now .com right here for.

Now .com and we would click next. All right. We’re not doing around trust, we’re windows domain. All right. And at that point, we’d click next in the domain should see each other and you would have you have now officially set that site up. You’d have to do it on the same, the other side as well coming for this domain. And at that point, you can, you know, you can specify transit or not transit of all that.

OK. I don’t really have a way to demonstrate this because I don’t have another domain set up. Probably neither do you.

Now, if you really want to get hard core and try this out, you could set up a whole new Windows 2022 server and create a whole new domain and try to set your trust relationship up.

So, if that’s something you want to get some hands on and try it out, I go, I encourage you to do that. It isn’t anything that’s that spectacular. You basically saw the process may just demonstrate it. Your only thing you’re not seeing is just a completion of it. But other than that, setting up trust relationships are actually pretty easy. Learning a little each day adds up. Research shows that students who make learning a habit are more likely to reach their goals. Set time aside to learn and get reminders using your learning scheduler.