Active Directory Cookbook for windows server 2003- P5 pot

To create a realm trust from the rallencorp.com domain to the Kerberos realm called kerb.rallencorp.com, use the following command: > netdom trust rallencorp.com /Domain:kerb.rallenco

Trang 1

2.18.2.2 Using a command-line interface

> netdom trust <ADDomainDNSName> /Domain:<KerberosRealmDNSName>[RETURN]

/Realm /ADD /PasswordT:<TrustPassword>[RETURN]

[/UserO:<ADDomainAdminUser> /PasswordO:*]

The <TrustPassword> has to match what was set on the Kerberos side To create a realm trust

from the rallencorp.com domain to the Kerberos realm called kerb.rallencorp.com, use the

following command:

> netdom trust rallencorp.com /Domain:kerb.rallencorp.com[RETURN]

/Realm /ADD /PasswordT:MyKerbRealmPassword[RETURN]

/UserO:administrator@rallencorp.com /PasswordO:*

2.18.3 Discussion

You can create a Kerberos realm trust between an Active Directory domain and a non-Windows Kerberos v5 realm A realm trust can be used to allow clients from the non-Windows Kerberos realm to access resources in Active Directory, and vice versa See Recipe 18.7 for more

information on MIT Kerberos interoperability with Active Directory

2.18.4 See Also

MS KB 260123 (Information on the Transitivity of a Kerberos Realm Trust) and MS KB 266080 (Answers to Frequently Asked Kerberos Questions)

Recipe 2.19 Viewing the Trusts for a Domain

2.19.1 Problem

You want to view the trusts for a domain

2.19.2 Solution

2.19.2.1 Using a graphical user interface

1 Open the Active Directory Domains and Trusts snap-in

2 In the left pane, right-click the domain you want to view and select Properties

3 Click on the Trusts tab

> netdom query trust /Domain:<DomainDNSName>

2.19.2.3 Using VBScript

' This code prints the trusts for the specified domain

Trang 2

' Trust Direction Constants taken from NTSecAPI.h

set objTrustDirectionHash = CreateObject("Scripting.Dictionary")

objTrustDirectionHash.Add "DIRECTION_DISABLED", 0

objTrustDirectionHash.Add "DIRECTION_INBOUND", 1

objTrustDirectionHash.Add "DIRECTION_OUTBOUND", 2

objTrustDirectionHash.Add "DIRECTION_BIDIRECTIONAL", 3

' Trust Type Constants - taken from NTSecAPI.h

set objTrustTypeHash = CreateObject("Scripting.Dictionary")

objTrustTypeHash.Add "TYPE_DOWNLEVEL", 1

objTrustTypeHash.Add "TYPE_UPLEVEL", 2

objTrustTypeHash.Add "TYPE_MIT", 3

objTrustTypeHash.Add "TYPE_DCE", 4

' Trust Attribute Constants - taken from NTSecAPI.h

set objTrustAttrHash = CreateObject("Scripting.Dictionary")

objTrustAttrHash.Add "ATTRIBUTES_NON_TRANSITIVE", 1

objTrustAttrHash.Add "ATTRIBUTES_UPLEVEL_ONLY", 2

objTrustAttrHash.Add "ATTRIBUTES_QUARANTINED_DOMAIN", 4

objTrustAttrHash.Add "ATTRIBUTES_FOREST_TRANSITIVE", 8

objTrustAttrHash.Add "ATTRIBUTES_CROSS_ORGANIZATION", 16

objTrustAttrHash.Add "ATTRIBUTES_WITHIN_FOREST", 32

objTrustAttrHash.Add "ATTRIBUTES_TREAT_AS_EXTERNAL", 64

set objRootDSE = GetObject("LDAP://" & strDomain & "/RootDSE")

set objTrusts = GetObject("LDAP://cn=System," & _

objRootDSE.Get("defaultNamingContext") )

objTrusts.Filter = Array("trustedDomain")

Wscript.Echo "Trusts for " & strDomain & ":"

for each objTrust in objTrusts

for each strFlag In objTrustDirectionHash.Keys

if objTrustDirectionHash(strFlag) = objTrust.Get("trustDirection") then strTrustInfo = strTrustInfo & strFlag & " "

end If

if objTrustTypeHash(strFlag) = objTrust.Get("trustType") then

strTrustInfo = strTrustInfo & strFlag & " "

end If

if objTrustAttrHash(strFlag) = objTrust.Get("trustAttributes") then strTrustInfo = strTrustInfo & strFlag & " "

end If

You can view the properties of a particular trust by clicking on a trust and clicking the Properties button

You can include the /Direct switch if you want to view only direct-trust relationships If you don't use /Direct, implicit trusts that occur due to transitive-trust relationships will also be listed

This script uses dictionary objects to ease the mapping of the various integer values for attributes, such as trustType and trustDirection, to descriptive names A dictionary object in VBScript

is analogous to a hash or associative array in other programming languages The Add method accepts a key and value pair to add to the dictionary The Keys method returns the keys of the dictionary as a collection To access a value of the dictionary, you simply pass the key name as a parameter to the dictionary object, such as objDictionary( strKey )

Another option to query trusts programmatically is with the Trustmon WMI Provider The

Trustmon Provider is new to Windows Server 2003 See Recipe 2.20 for an example

2.19.4 See Also

The Introduction at the beginning of this chapter for attributes of trustedDomain objects, Recipe 2.20 for another way to query trusts programmatically, MS KB 228477 (HOW TO: Determine Trust Relationship Configurations), and MSDN: TRUSTED_DOMAIN_INFORMATION_EX

Recipe 2.20 Verifying a Trust

2.20.1 Problem

You want to verify that a trust is working correctly This is the first diagnostics step to take if users notify you that authentication to a remote domain appears to be failing

2.20.2 Solution

For the Windows 2000 version of the Active Directory Domains and Trusts snap-in:

Trang 4

3 Click the domain that is associated with the trust you want to verify

4 Click the Edit button

5 Click the Verify button

For the Windows Server 2003 version of the Active Directory Domains and Trusts snap-in:

1 In the left pane, right-click on the trusting domain and select Properties

2 Click the Trusts tab

3 Click the domain that is associated with the trust you want to verify

4 Click the Properties button

5 Click the Validate button

> netdom trust <TrustingDomain> /Domain:<TrustedDomain> /Verify

/verbose[RETURN]

[/UserO:<TrustingDomainUser> /PasswordO:*][RETURN]

[/UserD:<TrustedDomainUser> /PasswordD:*]

' The following code lists all of the trusts for the

' specified domain using the Trustmon WMI Provider

' The Trustmon WMI Provider is only supported on Windows Server 2003

' - SCRIPT CONFIGURATION -

strDomain = "<DomainDNSName>" ' e.g amer.rallencorp.com

' - END CONFIGURATION -

set objWMI = GetObject("winmgmts:\\" & strDomain & _

"\root\MicrosoftActiveDirectory")

set objTrusts = objWMI.ExecQuery("Select * from Microsoft_DomainTrustStatus") for each objTrust in objTrusts

Wscript.Echo objTrust.TrustedDomain

Wscript.Echo " TrustedAttributes: " & objTrust.TrustAttributes

Wscript.Echo " TrustedDCName: " & objTrust.TrustedDCName

Wscript.Echo " TrustedDirection: " & objTrust.TrustDirection

Wscript.Echo " TrustIsOk: " & objTrust.TrustIsOK

Wscript.Echo " TrustStatus: " & objTrust.TrustStatus

Wscript.Echo " TrustStatusString: " & objTrust.TrustStatusString

Wscript.Echo " TrustType: " & objTrust.TrustType

Wscript.Echo ""

' that have failed, which can be accomplished using a WQL query that

' contains the query: TrustIsOk = False

strDomain = "<DomainDNSName>" ' e.g amer.rallencorp.com

set objTrusts = objWMI.ExecQuery("select * " _

& " from Microsoft_DomainTrustStatus " _

& " where TrustIsOk = False ")

Trang 5

if objTrusts.Count = 0 then

Wscript.Echo "There are no trust failures"

else

WScript.Echo "Trust Failures:"

for each objTrust in objTrusts

Wscript.Echo " " & objTrust.TrustedDomain & " : " & _

objTrust.TrustStatusString

Wscript.Echo ""

Verifying a trust consists of checking connectivity between the domains, and determining if the shared secrets of a trust are synchronized between the two domains

The Active Directory Domains and Trusts screens have changed somewhat between Windows

2000 and Windows Server 2003 The Verify button has been renamed Validate

If you want to verify a Kerberos trust, use the /Kerberos switch with the netdom command

The WMI Trustmon Provider is new to Windows Server 2003 It provides a nice interface for querying and checking the health of trusts One of the benefits of using WMI to access this kind

of data is that you can use WQL, the WMI Query Language, to perform complex queries to find trusts that have certain properties WQL is a subset of the Structured Query Language (SQL) commonly used to query databases In the second VBScript example, I used WQL to find all trusts that have a problem You could expand the query to include additional criteria, such as trust direction, and trust type

2.20.4 See Also

MSDN: Trustmon Provider

Recipe 2.21 Resetting a Trust

2.21.1 Problem

You want to reset a trust password If you've determined a trust is broken, you need to reset it, which will allow users to authenticate across it again

Trang 6

2.21.2 Solution

Follow the same directions as Recipe 2.20 The option to reset the trust will only be presented if the Verify/Validate did not succeed

> netdom trust <TrustingDomain> /Domain:<TrustedDomain> /Reset

' This code resets the specified trust

' Set to the DNS or NetBIOS name for the Windows 2000,

' Windows NT domain or Kerberos realm you want to reset the trust for

strTrustName = "<TrustToCheck>"

' Set to the DNS name of the source or trusting domain

strDomain = "<TrustingDomain>"

' Enable SC_RESET during trust enumerations

set objTrustProv = GetObject("winmgmts:\\" & strDomain & _

"\root\MicrosoftActiveDirectory:Microsoft_TrustProvider=@") objTrustProv.TrustCheckLevel = 3 ' Enumerate with SC_RESET

objTrustProv.Put_

' Query the trust and print status information

set objTrusts = objWMI.ExecQuery("Select * " _

& " from Microsoft_DomainTrustStatus " _

& " where TrustedDomain = '" & strTrustName & "'" ) for each objTrust in objTrusts

Wscript.Echo objTrust.TrustedDomain

Wscript.Echo " TrustedAttributes: " & objTrust.TrustAttributes

Wscript.Echo " TrustedDCName: " & objTrust.TrustedDCName

Wscript.Echo " TrustedDirection: " & objTrust.TrustDirection

Wscript.Echo " TrustIsOk: " & objTrust.TrustIsOK

Wscript.Echo " TrustStatus: " & objTrust.TrustStatus

Wscript.Echo " TrustStatusString: " & objTrust.TrustStatusString

Wscript.Echo " TrustType: " & objTrust.TrustType

Wscript.Echo ""

Trang 7

If you are resetting a Kerberos realm trust, you'll need to specify the /PasswordT option with

netdom

2.21.4 See Also

Recipe 2.20 for verifying a trust

Recipe 2.22 Removing a Trust

2.22.1 Problem

You want to remove a trust This is commonly done when the remote domain has been

decommissioned or access to it is no longer required

2.22.2 Solution

1 Open the Active Directory Domains and Trusts snap-in

2 In the left pane, right-click on the trusting domain and select Properties

3 Click the Trusts tab

4 Click on the domain that is associated with the trust you want to remove

5 Click the Remove button

6 Click OK

> netdom trust <TrustingDomain> /Domain:<TrustedDomain> /Remove

' This code deletes a trust in the specified domain

' Set to the DNS or NetBIOS name for the Windows 2000,

' Windows NT domain or Kerberos realm trust you want to delete

strTrustName = "<TrustName>"

' Set to the DNS name of the source or trusting domain

strDomain = "<DomainDNSName>"

set objRootDSE = GetObject("LDAP://" & strDomain & "/RootDSE")

set objTrust = GetObject("LDAP://cn=System," & _

objRootDSE.Get("defaultNamingContext") )

Trang 8

objTrustUser.Delete "trustedDomain", "cn=" & strTrustName & "$"

WScript.Echo "Successfully deleted trust for " & strTrustName

Trusts are stored in Active Directory as two objects; a trustedDomain object in the System

container and a user object in the Users container Both of these objects need to be removed when deleting a trust The GUI and CLI solutions take care of that in one step, but in the

VBScript example both objects needed to be explicitly deleted It is also worth noting that each solution only deleted one side of the trust If the trust was to a remote AD forest or NT 4.0 domain, you also need to delete the trust in that domain

Recipe 2.23 Enabling SID Filtering for a Trust

2.23.1 Problem

You want to enable Security Identifier (SID) filtering for a trust By enabling SID filtering you can keep a hacker from spoofing a SID across a trust

2.23.2 Solution

> netdom trust <TrustingDomain> /Domain:<TrustedDomain> /Quarantine

Yes[RETURN]

A security vulnerability exists with the use of SID history, which is described in detail in MS KB

289243 An administrator in a trusted domain can modify the SID history for a user, which could grant her elevated privileges in the trusting domain The risk of this exploit is relatively low due

to the complexity in forging a SID, but nevertheless, you should be aware of it To prevent this from happening you can enable SID Filtering for a trust When SID filtering is enabled, the only SIDs that are used as part of a user's token are from the trusted domain itself SIDs from other trusting domains are not included SID filtering makes things more secure, but prevents the use

of SID history and can cause problems with transitive trusts

2.23.4 See Also

MS KB 289243 (MS02-001: Forged SID Could Result in Elevated Privileges in Windows 2000)

Trang 9

Recipe 2.24 Finding Duplicate SIDs in a Domain

2.24.1 Problem

You want to find any duplicate SIDs in a domain Generally, you should never find duplicate SIDs in a domain, but it is possible in some situations, such as when the relative identifier (RID) FSMO role owner has to be seized or you are migrating users from Windows NT domains

2.24.2 Solution

To find duplicate SIDs run the following command, replacing <DomainControllerName> with a domain controller or domain name:

> ntdsutil "sec acc man" "co to se <DomainControllerName>" "check dup sid" q

q

The following message will be returned:

Duplicate SID check completed successfully Check dupsid.log for any

duplicates

The dupsid.log file will be in the directory where you started ntdsutil

If you want to delete any objects that have duplicate SIDs, you can use the following command:

> ntdsutil "sec acc man" "co to se <DomainControllerName>" "clean dup sid" q

q

Like the check command, the clean command will generate a message like the following upon completion:

Duplicate SID cleanup completed successfully Check dupsid.log for any

duplicate

All security principals in Active Directory have a SID, which is used to uniquely identify the object in the Windows security system There are two parts of a SID, the domain identifier and the RID Domain controllers are allocated a RID pool from the RID FSMO for the domain When a new security principal (user, group, or computer) is created, the domain controller takes

a RID from its pool to generate a SID for the account

In some rare circumstances, such as when the RID master role is seized, overlapping RID pools

Trang 10

potentially hazardous problem because a user, group, or computer could gain access to sensitive data they were never intended to have access to

2.24.4 See Also

MS KB 315062 (HOW TO: Find and Clean Up Duplicate Security Identifiers with Ntdsutil in Windows 2000)

Định dạng
Số trang	10
Dung lượng	29,62 KB