windows-nt/Source/XPSP1/NT/admin/admt/documents/help-ms/admtunderstandtrust.htm

80 lines
5.7 KiB
HTML
Raw Permalink Normal View History

2020-09-26 03:20:57 -05:00
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN"
"http://www.w3.org/TR/REC-html40/strict.dtd">
<HTML DIR="LTR">
<HEAD>
<TITLE>Understanding trust relationships</TITLE>
<LINK REL="stylesheet" MEDIA="screen" TYPE="text/css" HREF="coUA.css">
<LINK REL="stylesheet" MEDIA="print" TYPE="text/css" HREF="coUAprint.css">
<SCRIPT LANGUAGE="JScript" SRC="shared.js"></SCRIPT>
<META HTTP-EQUIV="Content-Type" CONTENT="text-html;charset=Windows-1252">
<META HTTP-EQUIV="PICS-Label" CONTENT='(PICS-1.1 "<http://www.rsac.org/ratingsv01.html>" l comment "RSACi North America Server" by "inet@microsoft.com <mailto:inet@microsoft.com>" r (n 0 s 0 v 0 l 0))'>
<META NAME="MS.LOCALE" CONTENT="EN-US">
<META NAME="MS-IT-LOC" Content="Active Directory Migration Tool">
<META NAME="MS-HAID" CONTENT="a_ADMTUnderstandTrust">
</HEAD>
<BODY>
<H1>Understanding trust relationships</H1>
<P>A trust relationship connects two domains and allows users in the trusted domain to access resources in the trusting domain. Groups can contain members from trusted domains. To migrate groups with <A ID="wPopup" HREF="HELP=ADMTGlos.hlp TOPIC=MemberAccount">member accounts</A> from trusted domains, you must first establish the same trust relationships in the <A ID="wPopup" HREF="HELP=ADMTGlos.hlp TOPIC=TargetDomain"> target domain</A> as exist in the <A ID="wPopup" HREF="HELP=ADMTGlos.hlp TOPIC=SourceDomain">source domain</A>. These trusts will allow authentication to continue to operate as it did before the migration.</P>
<P>For example, a <A ID="wPopup" HREF="HELP=ADMTGlos.hlp TOPIC=ResourceDomain">resource domain</A> usually trusts an <A ID="wPopup" HREF="HELP=ADMTGlos.hlp TOPIC=AccountDomain">account domain</A>. This is usually a one-way trust. When you migrate users from an account domain into a target Windows&nbsp;2000 domain, the resource domain temporarily remains outside of the <A ID="wPopup" HREF="HELP=ADMTGlos.hlp TOPIC=Forest">forest</A>. To allow the migrated users access to the resources in the resource domain, you must establish a new one-way trust from the resource domain to the target domain in the Windows&nbsp;2000 forest. This trust will remain active until the resource domain is migrated into the forest and finally decommissioned.</P>
<P>The Trust Migration Wizard does this by comparing the trust relationships in the source domain to the trust relationships in the target domain. The Trust Migration Wizard mirrors in the target domain any trust relationships that exist in the source domain, but not in the target domain. This wizard does not affect any trusts that exist in the target domain, but not in the source domain.</P>
<H2>Migrating an account domain</H2>
<P>In a typical <A ID="wPopup" HREF="HELP=ADMTGlos.hlp TOPIC=AccountDomain"> account domain</A> and <A ID="wPopup" HREF="HELP=ADMTGlos.hlp TOPIC=ResourceDomain"> resource domain</A> relationship, as shown in the illustration, the Windows&nbsp;NT resource domains trust the source account domain. Resource domains must also trust the new target account domain. This allows users in the account domain to access resources in the resource domains. </P>
<span class="webonly">
<A ID="thumbnail" TITLE="Enlarge figure" HREF="CHM=DomainMig.chm File=ADMT_03.gif">Resource domains trust the source account domain. They must also trust the new target account domain.</A>
</span>
<span class="printonly">
<img src="ADMT_03.gif">
</span>
<P>Before migrating user accounts from the Windows&nbsp;NT account domain to the Windows&nbsp;2000 target domain, you must create trusts from each of the resource domains that trust the account domain to the Windows&nbsp;2000 target domain. This will allow user accounts migrated to the target domain to access resources in the resource domains. Once the new trusts are established, you can clone the global groups and the users from the source account domain to the target domain.</P>
<span class="webonly">
<A ID="thumbnail" TITLE="Enlarge figure" HREF="CHM=DomainMig.chm FILE=ADMT_04.gif">Remove trusts to source domain and decommission the source domain.</A>
</span>
<P>As shown in the illustration, once you have migrated the users and global groups to the target domain, you can decommission the Windows&nbsp;NT 4.0 account domains. Because of the trusts created between the resource domains and the Windows&nbsp;2000 target domain, the newly cloned users in the target domain can continue to access resources in the resource domains. </P>
<span class="printonly">
<img src="ADMT_04.gif">
</span>
<H2>Migrating a resource domain</H2>
<P>For increased manageability, resources can be migrated into organizational units in the target domain. </P>
<span class="webonly">
<A ID="thumbnail" TITLE="Enlarge figure" HREF="CHM=DomainMig.chm FILE=ADMT_06.gif">Resource domains trust the account domain. The target source domain must also trust the account domain.</A>
</span>
<span class="printonly">
<img src="ADMT_06.gif">
</span>
<P>As shown in the illustration, when migrating a Windows&nbsp;NT 4.0 resource domain, you must create trusts between the target Windows&nbsp;2000 domain and the account domain trusted by that resource domain. Once the trusts are in place, you can clone the local groups that control access to the various resources, demote the backup domain controllers in the resource domain and, if desired, move them to the new source domain. </P>
<span class="webonly">
<A ID="thumbnail" TITLE="Enlarge figure" HREF="CHM=DomainMig.chm FILE=ADMT_07.gif">Remove trusts to source domain and decommission the source domain.</A>
</span>
<span class="printonly">
<img src="ADMT_07.gif">
</span>
<P>As shown in the illustration, when all resources have been transferred, you can decommission the original resource domain.</P>
</BODY>
</HTML>