ACTIVE DIRECTORY
EXTERNAL TRUST –
SCENARIO 1
Sainath K.E.V
Microsoft MVP – Directory Services
T ABLE OF C ONTENTS
1
Executive Summary ............................................................................................................................... 2
2
Solution Overview ................................................................................................................................. 3
3
Architectural Diagram ........................................................................................................................... 5
4
Scope of Work ....................................................................................................................................... 6
Work Plan ...................................................................................................................................... 6
4.1.1
Initiation Phase ..................................................................................................................... 6
4.1.2
Infrastructure Readiness ....................................................................................................... 6
4.1.3
Build Process ......................................................................................................................... 8
1 Executive Summary
XYZ Corp is based in United States provides food, industrial products and services worldwide. With
10,000 employees in 10 Countries who are committed to develop world class industrial products, XYZ
Corp is committed to world in a responsible way.
XYZ Corp recently done several acquisitions and engaged SKV Consulting to provide uniform solution to
access resources, there are multiple solutions involved in providing access to resources between XYZ
Corp and acquired Organizations, but XYZ Corp want the solution to be agile and requires seamless
connectivity to the resources with minimum Administrative overhead.
XYZ Corp is built on Microsoft Datacenter Suite of products which includes Microsoft System Center
Suite, Dynamics CRM , Microsoft Exchange and SharePoint. SKV provides single vendor solution to XYZ
Corp on the following Active Directory Trust implementation.
a) Design: SKV will perform assessment of XYZ Corp existing Active Directory and Networking
infrastructure which helps in successful Active Directory trust implementation. SKV Consulting
team will liaise with XYZ Corp Active Directory and Networking team to get the required
documentation and understand critical Networking components. SKV team will work closely
with XYZ Corp infrastructure team to understand the Server infrastructure which includes
virtualization infrastructure.
b) Installation: SKV will follow Microsoft Enterprise standards and proven Waterfall model for
installation of required Microsoft Service, Software and Operating System stack with strict
Program Management to ensure the tasks are completed within agreed time frame.
c) Configuration: SKV will follow Microsoft Enterprise configuration standards for installing and
configuring Microsoft Active Directory Trusts , validate the Trusts and monitor the trusts before
hand over to XYZ Corp
d) Integration: SKV will perform testing of required Applications and Account delegation to ensure
the successful implementation of Active Directory Trusts
e) Hand Over: SKV will perform successful hand over to XYZ Corp Active Directory team with
required Design and Build documentation
SKV approach for implementation of Active Directory Trusts considers Technical , Performance and
Business aspects of the use of SKV experience in AD Trust implementation. SKV success to help XYZ Corp
is predicted upon having experience resource who understand both Business and Technology stack.
2 Solution Overview
XYZ Corp has done major acquisitions lately and there is a strong requirement for establishing safe
communication between XYZ Corp and acquired Organizations resources. XYZ Corp does not like the
idea of adding the acquired companies under their existing Active Directory forest and want to establish
external Active Directory Trust and separate Active Directory Delegation model to manage resources.
The acquired company is ABC Corp
MCorp employees will be accessing resources of ABC Corp but ABC Corp will not be accessing resources
of MCorp. The solution provided by SKV will establish secure communication, manage resources from
required Security Groups and seamless integration of ABC Corp applications respectively.
SKV proposed to create an Active Directory One-Way External Non Transitive Trust between XYZ Corp
and ABC Corp, with this trust type, XYZ Corp employees will be successfully able to access abc resources
but vice versa is not possible. The External trust will be configured with Selective Authentication rather
than Domain-Wide authentication which exposes all the users from Trusted Domain to access any
resources to Trusting Domain, Selective Authentication over an Active Directory External Forest Trust
restrict access to those users in Trusted Forest who have been explicitly granted permission to access
computer objects.
In this proposal SKV highlights the process involved in Installing, Configuring and Integrating Microsoft
Active Directory Trusts. The objective will be identified and refined at the beginning of the project. After
the initial assessment of the XYZ Corp and ABC Corp infrastructure, SKV Consulting will perform
architectural design of the proposed solution.
The solution proposed by SKV for XYZ Corp consists of the following phases.
A. Phase 1 – Planning
 Gathering of information
 Business Plan
 Business Strategy and Objectives for Active Directory Trust
 Service Integration methodologies
B. Phase 2 -- Infrastructure Assessment
 Server Infrastructure
 Storage Infrastructure
 Network Infrastructure
 Security Infrastructure
 Backup solutions overview
C. Phase 3 -- Operations Analysis





Change Management processes
Incident Management processes
Lifecycle Management processes
Service Catalogs
Service Request processes
D. Phase 4 – Build Phase
 Prepare For Installation
 Identify the Server Roles
 Identity Group Policy requirement
 License Management
 Network Access Strategy
 Hardware Sizing and assessment
 Storage sizing and planning
 File and Print Server management
 Public Key Infrastructure Design
 Backup and Recovery planning
 Patch Management planning
 Virtual Machine Infrastructure Planning and Design
 Active Directory Trust Planning and Design
 Account Management Planning and Design
 Active Directory Delegation Planning and Design
 Organizational Unit Planning and Design

Configuration Process
 Windows Servers
 Configuring Network Connectivity on all Virtual Machines
 Configuring Active Directory and Group Policy
 Configuring File and Print Services
 Patch Management
 Configuring Identity Management
 Configuring Security
 Configuring Remote Access and Network Access Protection
 Configuring Clustering and High Availability
 Configuring Backup and Restore
 Active Directory Trusts
 Group Membership validation
 Configuring Active Directory External Trusts
 Configure Selective Authentication
 DNS Server Configuration
 Integration Process
 Test Selective Authentication configuration
 Test Resource access from XYZ Corp to ABC Corp
3 Architectural Diagram
Router
Router
Users
Domain
Controller,
Exchange,SCCM
Users
Root DC
Root Domain
Controller ADC
Hybrid Private Cloud
Hybrid Private Cloud
PKI Infrastructure
Application Server
ADC
Domain
Controller,
Exchange,SCCM
PKI Infrastructure
Active Directory Infrastructure
SAN Storage replication
Application Server
Virtualization Tier
SAN Storage replication
Active Directory Infrastructure
Virtualization Tier
AD Trust
XYZ Corp
AD Trust
ABC Corp
4 Scope of Work
Work Plan
SKV will perform phase approach to accomplish successful implementation Microsoft Active Directory
Trust implementation. The key phases of the engagement are listed below




Initiation Phase – Kick-off Meetings
Phase 1 : Infrastructure Readiness
Phase 2 : Build Process
Phase 3 : Post Implementation Tasks
4.1.1 Initiation Phase
SKV Project Manager will lead a kick-off meeting with XYZ Corp to review, plan and prepare for Active
Directory Trust implementation activities specified in this proposal.
Activities / Tasks:

SKV’s Project Manager will review the following project management work products with XYZ
Corp:

Introduction of the teams, their roles and responsibilities

SKV’s Project Plan & Schedule

Review Project Change Management and Approval process

Review Project Closeout process
4.1.2 Infrastructure Readiness
Infrastructure planning activities requires XYZ Corp existing infrastructure to be stable and meet the
deployment and configuration requirements. This activity is intended to gather information regarding
Servers, Network, Storage, Access Management and Security.
Activities / Tasks:

Server Management: SKV to provide the request for Windows Server Operating System
including Versions to XYZ Corp. XYZ Corp to provision Windows Server Licenses for
implementation activities. SKV Consulting to perform the server sizing for the Private Cloud
implementation. The Virtual Servers will meet the XYZ Corp Operating System Standards, SKV to
configure the Virtual Servers and follow XYZ’s existing Storage Management, Disk Management,
Identity Management, Patch Management, Backup and Restore policies.
Server Backup and Recovery management along with Virtual Machine Snapshot management
are managed by XYZ Corp resources. XYZ Corp uses Microsoft System Center Operations
Manager for reporting health conditions, Performance issues of Virtual Servers.

Virtualization Tier Management: SKV will configure Active Directory Trusts on Domain
Controllers hosted on Virtual infrastructure.
Virtual Machines management which are out of scope of engagement will be managed by XYZ
Corp. XYZ Corp to manage Virtual Machines migration activities, Backup and Recovery of virtual
machines.

Storage Management: Storage Replications and monitoring are managed by XYZ Corp.
Provisioning of LUN’s, backup activities of Windows Server data and backup verification are
managed by XYZ Corp. Virtual Machine snapshot management will be managed by XYZ Corp ,
creation of necessary additional Hard disks for Virtual Machines will be provisioned by XYZ Corp.

Network and Security Management: XYZ Corp to manage Virtualization Networking
components which involves creation of Virtual Switches, VLAN configuration, VLAN tagging for
all the virtual machines. XYZ Corp to manage PXE Boot networking capabilities and NAP
capabilities for virtual machines. XYZ Corp will be managing the Firewall rules and configuration
of Firewall ports on all the Virtual Servers.
Provisioning Internet Protocol Addresses, configuring Virtual LAN ( VLAN’s ), Configuration of
Access Control Policies on the Routers / Switches are managed by XYZ Corp. Housekeeping of
Firewall rules and Backup on Network configuration are managed by XYZ Corp.

Access Management: SKV require access on the virtual infrastructure for configuring and
implementing Active Directory Trusts. SKV to identify the Security Groups requirement, User
Accounts, Service account requirements and submit the request to XYZ Corp. XYZ Corp to
manage User Account creation, Group Policy management, Password Policy Management and
Security Groups creation.
4.1.3 Build Process
This phase describes the key high level stages involved in building the Active Directory Trust
infrastructure.
Activities / Tasks:
Active Directory Assessment: Before creating the Forest trust below are some of the assessment tasks
that SKV consulting team will be performing on XYZ Corp infrastructure

Forest Function Level should be Windows Server 2008 and above

Domain Functional Level should be Windows Server 2008 and above

DNS Server Configuration

Firewall Port configuration

Accounts Requirement

Active Directory Domain Trust Configuration

Selective Authentication Configuration
a) Checking Forest Functional Level : In our initial discussion with XYZ Corp, the Active Directory
infrastructure Is running on Windows Server 2008 R2 with no legacy Domain Controllers in
place.This operation can be performed on Root domain and by logging as Administrator
navigate to
1. Start  Run  Domain.msc
2. Right click on the Domain and select Properties
3. On the General Tab, Forest Functional Level will be listed
b) Checking Domain Functional Level: This operation can be performed on Root domain and by
logging as Administrator navigate to
1. Start  Run  Domain.msc
2. Right click on the Domain and select Properties
3. On the General Tab, Domain Functional Level will be listed
c) Firewall Ports Configuration: Domain trusts span different networks and requires firewall ports
to be opened , below are the list of ports needs to be opened for successful domain trust
Task
Outbound
Ports
Inbound
Ports
From–To
LDAP (389
UDP and
TCP)
Microsoft
SMB (445
TCP)
Set up trusts on both sides
from the internal forest
Kerberos
(88 UDP)
N/A
Internal domain domain
controllers–External
domain domain controllers
(all ports)
N/A
Internal domain domain
controllers–External
domain domain controllers
(all ports)
LDAP (389
UDP and
TCP)
External server–Internal
domain PDCs (Kerberos)
Endpoint
resolution
—
portmapper
(135 TCP)
Net Logon
fixed port
LDAP (389
UDP)
Trust validation from the
internal forest domain
controller to the external
forest domain controller
(outgoing trust only)
Use Object picker on the
external forest to add
objects that are in an
internal forest to groups and
DACLs
Microsoft
SMB (445
TCP)
Endpoint
resolution
—
portmapper
(135 TCP)
Net Logon
fixed port
N/A
Windows NT
Server 4.0
directory
service fixed
port
External domain domain
controllers–Internal
domain domain controllers
(Net Logon)
Net Logon
fixed port
Kerberos
(88 UDP)
Endpoint
resolution
portmapper
(135 TCP)
LDAP (389
UDP and
TCP)
Set up trust on the external
forest from the external
forest
N/A
Microsoft
SMB (445
TCP)
External domain domain
controllers–Internal
domain domain controllers
(all ports)
Kerberos
(88 UDP)
d) DNS Server Configuration : DNS settings are critical for Active Directory Trust to function. Below
is the configuration settings done on DNS server
Use Kerberos authentication
(internal forest client to
external forest)
Use NTLM authentication
(internal forest client to
external forest)
Kerberos
(88 UDP)
N/A
Internal client–External
domain domain controllers
(all ports)
N/A
Endpoint
resolution –
portmapper
(135 TCP)
Net Logon
fixed port
External domain domain
controllers–Internal
domain domain controllers
(all ports)
N/A
Internal client–External
domain domain controllers
(all ports)
LDAP (389
UDP and
TCP)
Microsoft
SMB (445
TCP)
Join a domain from a
computer in the internal
network to an external
domain
Kerberos
(88 UDP)
Endpoint
resolution
—
portmapper
(135 TCP)
Net Logon
fixed port
Windows NT
Server 4.0
directory
service fixed
port

Create Conditional Forwarder on each forest pointing to other Forest Domain. SKV will
be creating conditional forwarder for ABC Corp in XYZ Corp DNS Server and a Conditional
forwarder for XYZ Corp in ABC Corp DNS server
Note: Another method is by creating Secondary zones of each forest Primary zone
e) Security Account Requirement: To successfully create Active Directory Domain Trusts, users
should be member of Domain Admins group or Enterprise Admin group respectively.
f)
Active Directory Domain Trusts Configuration: In this step SKV consultant will create one-way
External Outgoing Trust which allows resources.To create a one-way, outgoing, external trust
for one side of the trust
1. Open Active Directory Domains and Trusts.
2. In the console tree, right-click the domain for which you want to establish a trust, and then
click Properties.
3. On the Trusts tab, click New Trust, and then click Next.
4. On the Trust Name page, type the Domain Name System (DNS) name (or NetBIOS
name) of the external domain, and then click Next.
5. On the Trust Type page, click External trust, and then click Next.
6. On the Direction of Trust page, click One-way: outgoing, and then click Next.
7. On the Sides of Trust page, click This domain only, and then click Next.
8. On the Outgoing Trust Authentication Level page, do one of the following, and then
click Next:
Click Selective authentication.
9. On the Trust Password page, type the trust password twice, and then click Next.
10. On the Trust Selections Complete page, review the results, and then click Next.
11. On the Trust Creation Complete page, review the results, and then click Next.
12. On the Confirm Outgoing Trust page, do one of the following:
If you do not want to confirm this trust, click No, do not confirm the outgoing trust.
Note that if you do not confirm the trust at this stage, the secure channel will not be
established until the first time that the trust is used by users.
If you want to confirm this trust, click Yes, confirm the outgoing trust, and then
supply the appropriate administrative credentials from the specified domain.
13. On the Completing the New Trust Wizard page, click Finish.
g) Selective Authentication: XYZ Corp Users want to access certain Resources of ABC Corp, SKV
Consulting has chosen Selective Authentication as the solution which does not allow XYZ Corp
users to access all the resources of ABC Corp respectively. Configure Allowed to Authenticate on
the resources which requires access to groups. Below procedure should be made on ABC Corp
Active Directory domain and add XYZ Corp user group
1. Open Active Directory Users and Computers.
2. Under View, ensure that Advanced Features is selected.
3. In the console tree, click the Computers container or the container where your
computer objects reside.
4. Right-click the computer object that you want users in the trusted domain or forest
to access, and then click Properties.
5. On the Security tab, do one of the following:
 In Group or user names, click the user names or group names for which
you want to grant access to this computer, select the Allow check box next
to the Allowed to Authenticate permission, and then click OK.

Click Add. In Enter the object names to select, type the name of the user
object or group object for which you want to grant access to this resource
computer, and then click OK. Select the Allow check box next to the
Allowed to Authenticate permission, and then click OK.