Configure Trusts

Practice Labs Module
Time
1 hour 10 minutes
Difficulty
Intermediate

The "Configure Trusts" module provides you with the instruction and server hardware to develop your hands on skills in the defined topics. This module includes the following exercises: 1) Configure Forest Trusts, 2) Configure Name Suffix Routing, 3) Configure External Trusts, 4) Create Shortcut Trusts, 5) Configure SID Filtering.

Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Overview

Introduction

The Configure Trusts module provides you with the instruction and server hardware to develop your hands on skills in the defined topics. This module includes the following exercises:

  1. Configure Forest Trusts

  2. Configure Name Suffix Routing

  3. Configure External Trusts

  4. Create Shortcut Trusts

  5. Configure SID Filtering

Exercise 1 – Configure Forest Trusts

In this exercise, you will create a new Active Directory forest, add a child domain in an existing AD parent domain and create a forest trust relationship.

Exercise 2 – Configure Name Suffix Routing

In this exercise, you will view how name suffix routing works. Name suffix routing is a mechanism used to manage how authentication requests are forwarded across Windows Server forests that are joined together by forest trusts. To streamline requests for authentication, when a forest is initially created, all unique name suffixes are routed by default.

Exercise 3 – Configure External Trusts

In the previous exercise, you created a forest trust between two Windows domain forests. In this lab, you will reconfigure that trust to become an external trust relationship.

Exercise 4 – Create Shortcut Trusts

A shortcut trust is a logical link that connects a child domain to another forest root domain, or to another child domain that belongs to a different domain tree.

This type of trust shortens the trust path taken from the parent domain down to its child domains.

Exercise 5 – Configure SID Filtering

Security principals, like a user or group object have an attribute called SID history, to which Windows domain administrators can add users old security identifiers (SIDs). This attribute is useful when users/groups are migrated to a new domain because administrators do not need to modify access control lists (ACLs) on network resources and users can use their old SIDs to access resources in their new.

A compromised domain with SID history enabled can be used by unauthorised user to associate SIDs with new user accounts granting them unauthorised access. To prevent this type of attack, Windows Server automatically enables SID filtering on all external trusts that are created by a Windows domain controller.

Learning Partner
Comprehensive Learning

See the full benefits of our immersive learning experience with interactive courses and guided career paths.