When SID Filtering is disabled, a rogue domain administrator can clone a SID from the other domain and add it to their SID History, granting them unauthorized rights. Even if it is disabled on a temporary basis (Ex: during AD migration ), it should be Please note that disabling SID filtering is a security compromise, and not at all recommended unless there is a specific business need. Netdom trust /domain: /enablesidhistory:Yes /userD: /passwordD: We have to run below command on any Domain Controller of Trusting Forest' s Root Domain : If the trust type if Forest Trust, then the command is different. Netdom trust /domain: /quarantine:No /userD: /passwordD: If the trust is External trust, then we have to run a command on any Domain Controller of Trusting Domain : Please note that SID Filtering can be disabled or enabled from the trusting Domain / Forest side of the trust. The most common scenario is during an AD migration, when SID History of user accounts need to be enabled, so we need to disable SID Filtering. In some cases, we need to disable SID Filtering. When we create a forest Trust, SID Filtering is enabled by default. When SID Filtering is enabled, it will block (filter) SID History through a Forest Trust. Using any resource using old SID will not be able to access that resource anymore.
The most common impact of this is, a migrated user account which is still When SID Filtering is enabled, all the foreign SIDs will be removed (quarantined) from user's access token while accessing any resource through Forest Trust. There are two security settings available in Forest Trust that can be used to enhance the security of communications made over Forest Trust. Therefore, it is important that proper security measures are taken while creating these trusts. Please remember that in a one way trust, direction of trust and direction of access are always opposite to each other.Īn external or forest trust exposes a larger surface to attack. If a one way Forest Trust is created, where Forest A is Trusting Domain and Forest B is Trusted Domain, then Forest B can access resources within Forest A, however Forest A cannot access resources within Forest B. When a two way Forest Trust is created between Forest A and Forest B, all domains in Forest A will trust all domains in Forest B and vice versa. We will discuss Trust Direction in the next section. In this case, typical configuration is an one way trust. Company A will use an application, which is developed by Company B and hosted in company B's environment.
In this case, the ideal solution is creation of a two way trust. Company A has merged with Company B, and now both companies need to access each other resources.This is where Forest Trust differs from External Trust, which is valid between two Domains.įorest trusts are typically useful in below scenarios: So if we establish Forest Trust between Forest A and Forest B, that will also be valid between the child domains (if any) of these two forests. This will also provide you checklist, which might be useful during the planning stage.įorest Trusts are created between Forest Root Domains, and it is valid for all Domains within the entire Forest. This article will focus on some of the important aspects and considerations while configuring a Forest Trust.