*Tokyo is now a Server 2008 network -so now what?
* Our two options to connect tokyo and new york
* What you need for AD federation Services.
* What you need for a TRUST
* The Globmantics / verde Petra Solution : Trusts
Now here we have
DC1 - globamntics.com
Childdomain = na.globamantics.com
Verdepetra.com - different network.* New - AD Federation Services allows two separate AD networks to authenticate Users from either Domain for shared folders and resources. It uses Port 443 (SSL Port) for Secure transmissions.
*We can also create a Trust between the two forests as well since we have more or less a direct link via VPN between New York and Tokyo.
What you need for AD federation Services?
* AD FS is an SSO (Single Sig-on) method of sharing information between two partner networks, usually through a web site or application like share point services or Sharepoint server.
* It users port 443, the SSL Port, and HTTPS to transfer info back and forth. It also uses cookies to keep track of authentication.
* Here's what AD FS requires:
On Home domain Globamantics.com
1) AD DS server
2) AD FS Server
3) Web Server (Sharepoint) with SSl Certificate
4) DMZ with Federation proxy Server
Internet
On Other forest
1) AD DS server
2) AD FS Server
3) DMZ with Federation proxy Server
What you need for a Trust?
* A trust allows users from different networks to access infromation on another network.
* As long as there's a secure connection between the two networks (Like Our VPN) all we really need is a DC on either side.
* Each Domain should be running at least server 2008 Function level, and the Forest Functional level has to be least server 2003. (Server 2008 Preferred)
How many kinds of Trusts are there?
*External Trust - Allows separate Domains in Separate Forests to trust each other's users without trusting every Domain in a Forest.
*Forest Trust - Trusts between two forest Root Domains that can allow users from any Domain inside of either forest to share resources.
*Shortcut Trusts - Simply allows users to access resources in a different Domain in the same Forest faster.
* Realm Trusts - Allows a windows Directory Network that uses Kerberos to trust a UNIX based network that also uses kerberos to share resources.
How many Directions are there in Trust?
*Trust can be one way, two- way, and Transitive.
1) One way Trust
*Network A trusts, Network B.
*Users from Network B can access allowed resources on A but Users from A cannot access stuff on Network B.
2) Two way Trust
* Network A trusts Network B.
* Users from either network can access allowed resources on the other.
3) Transitive Trusts
* If Domain A trusts Domain B and the trust is transitive.
* And if C trusts B, then A and C also have a trust relationship.
____________________________
Now what you are going to do:
* You're going to implement a two way forest trust, as well as an External trust between Verde Petra and Na.globomnatics.co (Child domain) so that users will be able to access stuff faster.
* You need to ensure that the DNS servers on both networks are configurred to know about each other.
* Both DNS servers are AD inegrated but a trust doesnt make it so that either DNS server knows about the other one.
* You will set up a stub zone on each DNS server, so that any DNS requests for resources on the other network will be forwarded to the DNS server in the other network.
How to create a Trust ?
1) We will Trust in DC2 for load balancing.
2) Open DNS server > Expand DNS
3) Select Forward Lookup Zones > Right click > New Zone
4) Select Stub Zone (Check mark : Store te Zone in AD) > Next
5) Select : To all DNS servers in this forest > Next
6) Type other DC name which is present in different forest Ex : Verdepetra.com > Next
7) Type the Ip address of the other DC name and select the Check mark (Use the above servers to create local list of master servers) > Next
8) Ok.
1) Now go to Verdepetra.com domain and repeat the same above steps and configure DNS for globamantics.com
2) Now go to Domains and Trusts > Right click and raise forest functional level to windows server 2008 on both Domains.
1) Now on DC1 Globamantics.com go to Domains and trusts > Properties > Trusts > New Trust >
2) Type the other domain name Vedrapetra.com > next > Give crednetials > Select Forest trust >
3) Select Two-way > next > Select Both this doman and Specified domain > Next > Enter credentials.> next
4) Select Forest wide authentication > Next.
5) Yes, Confirm the outgoing trust > Next
6) Yes, Confirm the incoming trust > Next
7) Finsih
Now we want to add the TKSales group (vedrapetra.com) (Make sure it is under universal group) to SalesUsers Group (Make sure it is under Domain Local group) on Globamantics.com
Now add the TKsales group to SalesUsers on Globamantics.com
Notes:
*AD Federation Services - A server role that allows partner networks to share information across domains using single sign-on. Most often used to share intranet web sites and applications like sharepoint.
*Trusts - A relationship between forests or Domains that allows sharing of resources.
* Stub zone - A DNS zone that simply provides information that another Domains DNS servers.
* Conditional Forwarder - An entry in a DNS server that forwards on a DNS request if the request meets a specific requirement, i.e. The request is for information about a computer in another domain.
* External Trust - Allows seprate Domains in separate Forests to trust each other's users without trusting every domain in a forest.
* Forest Trust - Trusts between two forest root domains that can allow userse from any domain inside of either forest to share resources.
* Shortcut trusts - simply allows users to access resources in a different domain faster.
* Realm Trusts - Allows a windows AD network that uses kerberos to trust a Unix based network that also uses Kerberos to share resources.
* Transitive Trust - A trust property that allows for trusting of other domains if the domain that is being trusted trusts other domains.
* AD migration Tool - A free download from Microsoft that allows you to move AD objects (Ie : User accounts, etc) between domains for consolidation.
After this class, now you can :
* Define the requirements and describe the use of AD Federation Servicse.
* Define the types and directions of Trusts.
* Create Stub Zones in a DNS server in preparation for a Trust.
* Implement a two way transitive forest trust.
* Add a Universal Group from another Domain to a Domain Local Group in a home Domain.
* Our two options to connect tokyo and new york
* What you need for AD federation Services.
* What you need for a TRUST
* The Globmantics / verde Petra Solution : Trusts
Now here we have
DC1 - globamntics.com
Childdomain = na.globamantics.com
Verdepetra.com - different network.* New - AD Federation Services allows two separate AD networks to authenticate Users from either Domain for shared folders and resources. It uses Port 443 (SSL Port) for Secure transmissions.
*We can also create a Trust between the two forests as well since we have more or less a direct link via VPN between New York and Tokyo.
What you need for AD federation Services?
* AD FS is an SSO (Single Sig-on) method of sharing information between two partner networks, usually through a web site or application like share point services or Sharepoint server.
* It users port 443, the SSL Port, and HTTPS to transfer info back and forth. It also uses cookies to keep track of authentication.
* Here's what AD FS requires:
On Home domain Globamantics.com
1) AD DS server
2) AD FS Server
3) Web Server (Sharepoint) with SSl Certificate
4) DMZ with Federation proxy Server
Internet
On Other forest
1) AD DS server
2) AD FS Server
3) DMZ with Federation proxy Server
What you need for a Trust?
* A trust allows users from different networks to access infromation on another network.
* As long as there's a secure connection between the two networks (Like Our VPN) all we really need is a DC on either side.
* Each Domain should be running at least server 2008 Function level, and the Forest Functional level has to be least server 2003. (Server 2008 Preferred)
How many kinds of Trusts are there?
*External Trust - Allows separate Domains in Separate Forests to trust each other's users without trusting every Domain in a Forest.
*Forest Trust - Trusts between two forest Root Domains that can allow users from any Domain inside of either forest to share resources.
*Shortcut Trusts - Simply allows users to access resources in a different Domain in the same Forest faster.
* Realm Trusts - Allows a windows Directory Network that uses Kerberos to trust a UNIX based network that also uses kerberos to share resources.
How many Directions are there in Trust?
*Trust can be one way, two- way, and Transitive.
1) One way Trust
*Network A trusts, Network B.
*Users from Network B can access allowed resources on A but Users from A cannot access stuff on Network B.
2) Two way Trust
* Network A trusts Network B.
* Users from either network can access allowed resources on the other.
3) Transitive Trusts
* If Domain A trusts Domain B and the trust is transitive.
* And if C trusts B, then A and C also have a trust relationship.
____________________________
Now what you are going to do:
* You're going to implement a two way forest trust, as well as an External trust between Verde Petra and Na.globomnatics.co (Child domain) so that users will be able to access stuff faster.
* You need to ensure that the DNS servers on both networks are configurred to know about each other.
* Both DNS servers are AD inegrated but a trust doesnt make it so that either DNS server knows about the other one.
* You will set up a stub zone on each DNS server, so that any DNS requests for resources on the other network will be forwarded to the DNS server in the other network.
How to create a Trust ?
1) We will Trust in DC2 for load balancing.
2) Open DNS server > Expand DNS
3) Select Forward Lookup Zones > Right click > New Zone
4) Select Stub Zone (Check mark : Store te Zone in AD) > Next
5) Select : To all DNS servers in this forest > Next
6) Type other DC name which is present in different forest Ex : Verdepetra.com > Next
7) Type the Ip address of the other DC name and select the Check mark (Use the above servers to create local list of master servers) > Next
8) Ok.
1) Now go to Verdepetra.com domain and repeat the same above steps and configure DNS for globamantics.com
2) Now go to Domains and Trusts > Right click and raise forest functional level to windows server 2008 on both Domains.
1) Now on DC1 Globamantics.com go to Domains and trusts > Properties > Trusts > New Trust >
2) Type the other domain name Vedrapetra.com > next > Give crednetials > Select Forest trust >
3) Select Two-way > next > Select Both this doman and Specified domain > Next > Enter credentials.> next
4) Select Forest wide authentication > Next.
5) Yes, Confirm the outgoing trust > Next
6) Yes, Confirm the incoming trust > Next
7) Finsih
Now we want to add the TKSales group (vedrapetra.com) (Make sure it is under universal group) to SalesUsers Group (Make sure it is under Domain Local group) on Globamantics.com
Now add the TKsales group to SalesUsers on Globamantics.com
Notes:
*AD Federation Services - A server role that allows partner networks to share information across domains using single sign-on. Most often used to share intranet web sites and applications like sharepoint.
*Trusts - A relationship between forests or Domains that allows sharing of resources.
* Stub zone - A DNS zone that simply provides information that another Domains DNS servers.
* Conditional Forwarder - An entry in a DNS server that forwards on a DNS request if the request meets a specific requirement, i.e. The request is for information about a computer in another domain.
* External Trust - Allows seprate Domains in separate Forests to trust each other's users without trusting every domain in a forest.
* Forest Trust - Trusts between two forest root domains that can allow userse from any domain inside of either forest to share resources.
* Shortcut trusts - simply allows users to access resources in a different domain faster.
* Realm Trusts - Allows a windows AD network that uses kerberos to trust a Unix based network that also uses Kerberos to share resources.
* Transitive Trust - A trust property that allows for trusting of other domains if the domain that is being trusted trusts other domains.
* AD migration Tool - A free download from Microsoft that allows you to move AD objects (Ie : User accounts, etc) between domains for consolidation.
After this class, now you can :
* Define the requirements and describe the use of AD Federation Servicse.
* Define the types and directions of Trusts.
* Create Stub Zones in a DNS server in preparation for a Trust.
* Implement a two way transitive forest trust.
* Add a Universal Group from another Domain to a Domain Local Group in a home Domain.
No comments:
Post a Comment