Campus Active Directory - Forest Trust Technical Requirements
Before a Forest Trust can be created between a department's Active Directory forest and Campus Active Directory an audit must be performed by OCIS/DoIT Security. This audit will verify that all security requirements listed below have been configured correctly.
Note:Implementation of the security requirements in the trusting forest are the responsibility of the customer's Active Directory administrators. Reasonable effort must be made by the customer administrators to research the effects of these changes on their environment and to implement them in a way consistent with the customer's change management process.
- A CADS Trusts request must be completed and approved by the Office of Campus Information Security (OCIS)
- Domain and Forest level must be WS 2003 or higher
- The following Security policies must be configured on all domain controllers:
- Publicly trusted server certificates installed
- "Network security: Do not store LAN Manager hash value on next password change" - Enabled
- "Network security: LDAP client signing requirements" - Require Signing
- "Network security: LAN Manager authentication level" - Send NTLMv2 response only. Refuse LM & NTLM
- "Domain Controller: LDAP Server signing requirements" - Require Signing
- Name resolution must be successfully verified between the CADS domain controllers and the trusting forest's domain controllers
- Campus Active Directory Service names are resolvable through Campus DNS
Click here to view the KB article explaining how to enable LDAPS on AD Domain Controllers
IPsec Policy
IPSec Rules: CADS Forest Trust Traffic
| Name | Description | Mode(Transport or Tunnel IP) | IP Filter List | Filter Action List | Network Type | Authentication Method |
| CADS | Forest trust traffic | Transport | DCs | ESP-3DES-SHA1-0-3600 | LAN | PSK |
CADS Domain Controllers
| Name | Src Address | Dest Address | Protocol | Src Port | Dest Port | Mirrored |
| CADSDC-PROD-01 | 144.92.104.44 | My IP Address | ANY | ANY | ANY | Y |
| CADSDC-PROD-02 | 144.92.74.87 | My IP Address | ANY | ANY | ANY | Y |
| CADSDC-PROD-03 | 144.92.104.17 | My IP Address | ANY | ANY | ANY | Y |
| CADSDC-PROD-04 | 144.92.74.63 | My IP Address | ANY | ANY | ANY | Y |
| CADSDC-PROD-05 | 144.92.104.18 | My IP Address | ANY | ANY | ANY | Y |
| CADSDC-PROD-06 | 144.92.74.69 | My IP Address | ANY | ANY | ANY | Y |
Filter Actions
| Name | Description | Filter Action Behavior | Security Method | AH | ESP | Session Key Lifetimes (sessions/seconds) | Accept Clear | Allow Fallback | Use PFS |
| ESP-3DES-SHA1-0-3600 | Require ESP 3DES/SHA1, no inbound clear, no fallback to clear, No PFS | Negotiate Security | Custom | N/A | 3DES/SHA1 | 0 / 3600 | N | N | N |
Recomendations
The following configurations are not required, but are recommended for all trusting forests
- Domain Controllers meet or exceed Center for Internet Security Benchmarks (Enterprise or SSLF)
- Request a delegation in Campus DNS for customer Active Directory DNS name
- The following settings applied to all Member servers and workstations:
- "Network security: LDAP client signing requirements" - Require Signing
- "Network security: LAN Manager authentication level" - Send NTLMv2 response only. Refuse LM & NTLM
Glossary
- Parent and child trust - By default, when a new child domain is added to an existing domain tree, a new parent and child trust is established. Authentication requests made from subordinate domains flow upward through their parent to the trusting domain.
- Tree-root trust - By default, when a new domain tree is created in an existing forest, a new tree-root trust is established.
- External trust - An external trust can be created between two domains in different forests or between an AD domain and a Windows NT domain.
- Forest trust- A forest trust can be created between the forest root domains of two forests and allows authentication between all domains in either forest.
- Shortcut trust- A shortcut trust can be defined between two domains in the same forest. A shortcut trust is used where the trust path is long or network connections between domain controllers in the trust path cannot efficiently support the authorization traffic.
- Realm trust - A realm trust can be created between a domain and a non-Windows system such as a system hosting a UNIX or Linux OS with Kerberos version 5.
- Transitive trust - If domain "A" has a transitive trust with domain "B" and domain "B" has a transitive trust with domain "C", domain "A" will also trust domain "C" despite there not being an explicit trust between domain "A" and domain "C."
- Non-Transitive trust - If the trusts between domains "A" and "B" and between "B" and "C" are non-transitive domain "A" will not trust domain "C."
References
- Center for Internet Security
- Campus Active Directory Service Request
- Campus Active Directory Domain Controller Security Settings
- Client, service, and program issues can occur if you change security settings and user rights assignments (MS TechNet)
- Domain and Forest Trusts Technical Reference (MS TechNet)
- Understanding Trusts (MS TechNet)
- Active Directory Domains and Trusts (MS TechNet)
- Enable Selective Authentication over a Forest Trust (MS TechNet)
- Grant the Allowed to Authenticate Permission on Computers in the Trusting Domain or Forest (MS TechNet)