AD Bridge Agent Active Directory Trust Support

The AD Bridge Enterprise agent supports the following Active Directory trusts:

Trust Type Transitivity Direction AD Bridge Enterprise Default Cell Support Named Cells

Parent and child

Transitive

Two-way

Yes

Yes

External

Nontransitive

One-way

No

Yes

External

Nontransitive

Two-way

No

Yes

Forest

Transitive

One-way

No

Yes

Forest

Transitive

Two-way

Yes: Must enable default cell in both forests.

Yes

For more information on the types of trusts, please see the Microsoft article Trust Types.

Notes on Trusts

The following is general information about working with trusts.

  • You must place the user or group that you want to give access to the trust in a cell other than the default cell.
  • In a two-way forest or parent-child trust, AD Bridge Enterprise merges the default cells. When merged, users in one domain can log on computers in another domain, and vice-versa.
  • To put a user in a child domain but not the parent domain, you must put the user in a named cell, which is a cell associated with an organizational unit.
  • If there is a UID conflict across two domains, one domain will be dropped.
  • In a cross-forest transitive one-way or two-way trust, the root of the trusted forest must have a default cell.
  • In a one-way trust in which Forest A trusts Forest B, a computer in Forest A cannot get group information from Forest B, because Forest B does not trust Forest A. The computer in Forest A can obtain group information if the user logs on with a password for a domain user, but not if the user logs on with Kerberos single sign-on credentials. Only the primary group information, not the secondary group information, is obtained.
  • To support a one-way trust without duplicating user accounts, you must use a cell associated with an OU, not a default cell. If Domain A trusts Domain B (but not the reverse) and if Domain B contains all the account information in cells associated with OUs, then when a user from Domain B logs on a machine joined to Domain A, Domain B will authenticate the user and authorize access to the machine in Domain A.

In such a scenario, you should also add a domain user from the trusted domain to an administrative group in the trusting domain so you can manage the trusting domain with the appropriate level of read access to trusted user and group information. However, before you add the domain user from the trusted domain to the trusting domain, you must first add to the trusting domain a group that includes the user because Unix and Linux computers require membership in at least one group and Active Directory does not enumerate a user's membership in foreign groups.

  • If you have a network topology in which the "front" domain trusts the "back" domain, and you join a machine to the front domain using a back domain administrator, as in the following example, the attempt to join the domain will fail: domainjoin-cli join front.example.com back\\administrator password. However, the attempt to join the domain will succeed if you use the following nomenclature: domainjoin-cli join front.example.com administrator@BACK.example.COM password.
  • With AD Bridge Enterprise, aliased user names are supported in the default cell and in named cells.

Trusts and Cells in AD Bridge

In AD Bridge Enterprise, a cell contains Unix settings, such as a UID and a GID, for an Active Directory user. When an AD user logs into an AD Bridge Enterprise client, AD Bridge Enterprise searches Active Directory for the user's cell information and must find it to operate properly. Thus, your AD topology and your trust relationships may dictate where to locate a cell in Active Directory so that your AD Bridge Enterprise clients can access their Unix settings.

With a default cell, AD Bridge Enterprise searches for a user or group's attributes in the default cell of the domain where the user or group resides. In a multi-domain topology, a default cell must exist in the domain where user and group objects reside in addition to the default cell that exists in the domain to which Linux or Unix computers are joined.

In a multi-domain topology, be sure to create a default cell in each domain.

Ideally, Unix information is stored on the user object in default cell Directory Integrated mode. If the client computer does not have the access rights to read and write the information to the user object, as in an external one-way trust, the Unix information cannot be stored on the user object. It can, however, be stored locally in a named cell, that is, a cell associated with an organizational unit.

Since a named cell can be linked to the default cell, you can store Unix information on the user object in default cell Directory Integrated mode when possible, and otherwise in a named cell that represents the external user.

For information about cells, please see Plan Your AD Bridge Deployment