Beruflich Dokumente
Kultur Dokumente
Page 1 of 5
When a trust is established between a domain in a particular forest and a domain outside of that forest,
security principals from the external domain can access resources in the internal domain. Active Directory
creates a foreign security principal object in the internal domain to represent each security principal from
the trusted external domain. These foreign security principals can become members of domain local
groups in the internal domain. Domain local groups can have members from domains outside of the
forest.
Directory objects for foreign security principals are created by Active Directory and should not be
manually modified. You can view foreign security principal objects from Active Directory Users and
Computers by enabling advanced features. For information about enabling advanced features, see To
view advanced features.
In domains with the functional level set to Windows 2000 mixed, it is recommended that you delete
external trusts from a domain controller running Windows Server 2003. External trusts to Windows NT 4.0
or 3.51 domains can be deleted by authorized administrators on the domain controllers running
Windows NT 4.0 or 3.51. However, only the trusted side of the relationship can be deleted on the domain
controllers running Windows NT 4.0 or 3.51. The trusting side of the relationship (created in the
Windows Server 2003 domain) is not deleted, and although it will not be operational, the trust will
continue to display in Active Directory Domains and Trusts. To remove the trust completely, you will need
to delete the trust from a domain controller running Windows Server 2003 in the trusting domain. If an
external trust is inadvertently deleted from a domain controller running Windows NT 4.0 or 3.51, you will
http://technet.microsoft.com/en-us/library/cc755427(d=printer,v=ws.10).aspx
9/13/2013
Page 2 of 5
need to recreate the trust from any domain controller running Windows Server 2003 in the trusting
domain.
For more information about how to create an external trust, see Create an external trust.
http://technet.microsoft.com/en-us/library/cc755427(d=printer,v=ws.10).aspx
9/13/2013
Page 3 of 5
and attempt to gain full access to the trusting domain and the resources within that domain. In this
scenario, a malicious user who has domain administrator credentials in the trusted domain is a threat to
the entire trusting forest.
SID filtering neutralizes the threat of malicious users in the trusted domain from using the SID history
attribute to gain elevated privileges.
http://technet.microsoft.com/en-us/library/cc755427(d=printer,v=ws.10).aspx
9/13/2013
Page 4 of 5
Only domain administrators can disable SID filtering. To disable SID filter quarantining for the trusting
domain, type the following syntax at a command-prompt:
Netdom trust TrustingDomainName /domain:
TrustedDomainName /quarantine:No /userD:domainadministratorAcct/passwordD:domainadminpwd
To enable SID filter quarantining, set the /quarantine: command-line option to Yes. For more
information about Netdom.exe, see Active Directory support tools.
You can enable or disable SID filter quarantining only from the trusting side of the trust. If the trust is a
two-way trust, you can also disable SID filter quarantining in the trusted domain by using the domain
administrator's credentials for the trusted domain and reversing the TrustingDomainName and
TrustedDomainName values in the command-line syntax.
Notes
To further secure your forest, you should consider enabling SID filter quarantining on all existing
external trusts that were created by domain controllers running Windows 2000 Service Pack 3 (or
earlier). You can do this by using Netdom.exe to enable SID filtering on existing external trusts, or
by recreating these external trusts from a domain controller running Windows Server 2003 or
Windows 2000 Service Pack 4 (or later).
You cannot turn off the default behavior that enables SID filter quarantining for newly created
external trusts.
External trusts created from domain controllers running Windows 2000 Service Pack 3 (or earlier)
do not enforce SID filter quarantining by default.
Domain controllers running Windows NT Server 4.0 do not take part in the trust creation process
when existing domain controllers in the same domain are running Windows 2000 or Windows
Server 2003.
You can enable or disable SID filter quarantining only for trusts that extend beyond forest
boundaries such as external and forest trusts. For more information about SID filtering and forest
trusts, see Forest trusts.
http://technet.microsoft.com/en-us/library/cc755427(d=printer,v=ws.10).aspx
9/13/2013
Page 5 of 5
To re-enable the default SID filtering setting across forest trusts, set the /enablesidhistory: commandline option to No. For more information about Netdom, see Domain and Forest Trust Tools and
Settings.
Note
The same security considerations for removing SID filter quarantining from external trusts apply to
allowing SID history to traverse forest trusts.
Community Additions
2013 Microsoft. All rights reserved.
http://technet.microsoft.com/en-us/library/cc755427(d=printer,v=ws.10).aspx
9/13/2013