Chapter two

2. Window network concept

2.1. Workgroup

In computer networking, a workgroup is a collection of computers on a local area network

(LAN) that share common resources and responsibilities. Workgroups provide easy sharing of
files, printers and other network resources. Being a peer-to-peer (P2P) network design, each
workgroup computer may both share and access resources if configured to do so.

Workgroups are designed for small LANs in homes, schools, and small businesses. Workgroup,
for example, functions best with 15 or fewer computers. As the number of computers in a
workgroup grows, workgroup LANs eventually become too difficult to administer and should be
replaced with alternative solutions like domains or other client/server approaches.

A workgroup is a grouping of computers that are connected to each other over a network. This
grouping is handled within the Microsoft Windows operating system, where the members of the
workgroup assume the same workgroup name (though each computer in a workgroup must have
a unique computer name). Computers in a workgroup communicate directly with each other and
do not require a server to manage network resources.

Once a workgroup has been created, it is visible in My Network Places (available from the
desktop in Windows). The ability to see a whole workgroup simplifies the viewing and accessing
of shared resources.

1|Page
Fig: workgroup computers

2.1.1. Adding a computer to your workgroup

After your network and workgroup are set up, you can add computers to the workgroup. The
procedure varies slightly for different Microsoft Windows operating systems. Be sure to enter the
same workgroup names on all computers you are adding to the workgroup, so that they appear
together in My Network Places. Here are procedures for adding computers to a workgroup.
To specify a computer’s workgroup in Windows 7 operating system

1. Click Start, click Control Panel, and then click System and security then click System.
2. Click change setting
3. Click Change, and then in the Workgroup box, enter the name of the workgroup you
want to join.

If you want to rename your computer so that it’s easily recognizable among the other computer
names in My Network Places, enter a new name in the Computer description box. However, be
aware that some Internet connections require a specific computer name. If your Internet service
provider (ISP) has assigned you a computer name to use, do not change it.

2|Page
2.1.2. Workgroup and computer naming conventions

When you create names for your workgroup or computer it’s important to note some specific
naming conventions.
Workgroup names: A workgroup name must:

 Be the same for all computers in the workgroup

 Be different from any computer name in the workgroup
 Usually be fewer than 16 characters
 Usually not contain any of the following characters: ; : " < > * + = \ | ? ,

Computer names: A computer name must:

 Be unique in the workgroup (no other computer in the workgroup can have the same
name)
 Be different from the workgroup name
 Usually be less than 16 characters
 Usually not contain any of these characters: ; : " < > * + = \ | ? ,
 Under some circumstances, be all uppercase

2.1.3. Limitations and Considerations While Renaming a Computer name

 A computer can be renamed only by the administrator of the computer.

 If a computer is a member of an Active Directory domain, it should be removed from the
domain before it is renamed.
 Although Windows prompts administrators to restart the computer after renaming, in case
it doesn’t, it should be restarted manually before making any further modifications.
 In most cases renaming a computer does not affect the policies that have been applied on
it.
 To restrict or limit communication of a computer with other computers in the network
while renaming, the IP address of the computer should also be modified accordingly.

3|Page
After you have established your workgroup and computer names, you can set up file sharing
among the files, folders, and printers in your workgroup. To be able to access your workgroup
and its shared resources, you must be logged on to the network.

2.2. What is the difference between a domain and workgroup?

Domains, workgroups, and home groups represent different methods for organizing computers in
networks. The main difference among them is how the computers and other resources on the
networks are managed.

In a workgroup:

 All computers are peers; no computer has control over another computer.
 Each computer has a set of user accounts. To log on to any computer in the workgroup,
you must have an account on that computer.
 There are typically no more than twenty computers.
 A workgroup is not protected by a password.
 All computers must be on the same local network or subnet.

In a domain:

 One or more computers are servers. Network administrators use servers to control the
security and permissions for all computers on the domain. This makes it easy to make
changes because the changes are automatically made to all computers. Domain users
must provide a password or other credentials each time they access the domain.
 If you have a user account on the domain, you can log on to any computer on the domain
without needing an account on that computer.
 You probably can make only limited changes to a computer's settings because network
administrators often want to ensure consistency among computers.
 There can be thousands of computers in a domain.
 The computers can be on different local networks.

4|Page
2.2.1. Disadvantages of a Domain

One and only, but the major, disadvantage of having a domain oriented network environment is
that it has a single point of failure. This means that if the domain controller fails because of any
reason, the entire network goes down, and comes up only when the domain controller starts
working properly again.

2.2.1.1. Considerations before Adding a Computer to Domain

 The client computer must have a unique hostname in the network assigned to it.
 The client computer must have a static IP address assigned to it.
 The client computer must be provided with correct DNS address.

2.2.2. How to add a client Computer to the Domain?

To add a Windows 8 computer to domain, steps below must be followed:

1. Use the credentials of local administrator account to log on to Windows 8 computer, that
is to be added to the domain.
2. Click Desktop tile from the Start screen to go to the desktop.
3. Once on the desktop screen, click File Explorer icon from the taskbar.
4. On the Libraries window, right-click Computer icon from the left pane.
5. From the context menu that appears, click Properties.
6. On the System window, click Change settings option under Computer name, domain,
and work settings section from the right pane.

5|Page
 Click Change Settings

7. On the System Properties box, ensure that Computer Name tab is selected.
8. Once the tab is selected, click Change button.

Click Change

6|Page
 9. On the Computer Name/Domain Changes box, click to select Domain radio button
under Member of section.
10. In the enabled field, specify the fully qualified domain name (FQDN) of the domain to
which the computer is to be added.

Specify Domain Name

11. On the Windows Security box, provide the name and password of the domain
administrator or domain user account in the respective fields.

7|Page
 Specify Domain Admin Credentials

12. Once done, click OK button.

13. On the displayed welcome message box, click OK.
14. Click OK on the next displayed box.
15. Back on System Properties box, click Close when done.
16. On Microsoft Windows box, click Restart Now button to restart the Windows 8
computer automatically in order to allow the changes to take effect.

2.3. What is the Active Directory

An active directory is a directory structure used on Microsoft Windows based computers and
servers to store information and data about networks and domains. It is primarily used for
online information and was originally created in 1996 and first used with Windows 2000.
An active directory (sometimes referred to as an AD) does a variety of functions including the
ability to provide information on objects, helps organize these objects for easy retrieval and
access, allows access by end users and administrators and allows the administrator to set security
up for the directory.

An active directory can be defined as a hierarchical structure and this structure is usually broken
up into three main categories, the resources which might include hardware such as printers,
8|Page
services for end users such as web email servers and objects which are the main functions of the
domain and network.

It is interesting to note the framework for the objects. Remember that an object can be a piece of
hardware such as a printer, end user or security settings set by the administrator. These objects
can hold other objects within their file structure. All objects have an ID, usually an object name
(folder name). In addition to these objects being able to hold other objects, every object has its
own attributes which allows it to be characterized by the information which it contains. Most IT
professionals call these setting or characterizations schemas.

Depending on the type of schema created for a folder, will ultimately determine how these
objects are used. For instance, some objects with certain schemas cannot be deleted, they can
only be deactivated. Others types of schemas with certain attributes can be deleted entirely. For
instance, a user object can be deleted, but the administrator object cannot be deleted.

When understanding active directories, it is important to know the framework that objects can be
viewed at. In fact, an active directory can be viewed at either one of three levels, these levels
are called forests, trees or domains. The highest structure is called the forest because you can
see all objects included within the active directory.

Within the Forest structure are trees, these structures usually hold one or more domains, going
further down the structure of an active directory are single domains. To put the forest, trees and
domains into perspective, consider the following example.

A large organization has many dozens of users and processes. The forest might be the entire
network of end users and specific computers at a set location. Within this forest directory are
now trees that hold information on specific objects such as domain controllers, program data,
system, etc. Within these objects are even more objects which can then be controlled and
categorized.

9|Page
Some of the common tasks accomplished with Active Directory Users and Computers include:

 Adding new users to Active Directory

 Changing passwords
 Granting rights to file servers
 Allowing remote access to the network
 Setting login and logout scripts
 Restrict logon times
 Controlling when users can use the network
 Creating security groups - with either static or dynamic membership

2.3.1. Common Active Directory objects

Within each container reside Active Directory objects, which represent every resource that has
been added to your Active Directory hierarchy. As you look through the various containers
discussed above, you'll see the objects appear in the right pane.

Microsoft has done a pretty good job of giving the objects meaningful names. You can usually
quickly guess what an object does by its name. For example, the DHCP Users object is a group
object containing members that have read-only access to DHCP. Even if you can't discern an
object's purpose by its name, Microsoft has included a Description column that tells you what
each default object does. And, if worse comes to worse, there's always Google!

Each object is made up of a group of properties, which describe the object and what it can do.
View the properties for an object by right-clicking the object and, from the resulting shortcut
menu, selecting Properties. In this article, you will learn about the properties for the following
kinds of objects:

 Computers
 Groups
 Users

10 | P a g e
Only the default tabs for each object will be discussed here. If you have added applications that
extend Active Directory's schema, such as Exchange, there may be additional tabs on some kinds
of objects.

2.3.1.1. Computer Objects

The Computer object describes computers that have rights on the network. It can describe
domain controllers, member servers, or workstations. You'll find domain controllers in the
Domain Controllers container. Member servers and workstations will appear in the Computers
container. When you right-click a Computer object and select Properties, you'll see the screen
shown in Figure D.

Figure D

11 | P a g e
The Properties page for the computer named VISTA32.

As with most Properties pages, you'll find tabs with further information. Tabs on the Computer
Properties page include:

 General: This tab provides basic information about the object, including both its
NetBIOS name, its DNS name, type, Active Directory site and description.
 Operating System: This tab will show you the operating system running on the computer
and what service packs, if any, have been applied to it.
 Member Of: Here, you can view the computer's group memberships and make any
necessary adjustments. By default, all new computers are added to the group named
Domain Computers.
 Delegation: In older versions of Windows Server, this information was located on the
General tab. Select one of the 'trust' options if you want the computer to be able to
request services from another computer.
 Password Replication: The Password Replication tab holds a list of the Read-Only
Domain Controllers that store cached versions of the directory.
 Location: Enter details describing the computer's physical location.
 Managed By: Provide information regarding the staff person responsible for the
computer. You can quickly assign someone by selecting their information directly from
Active Directory.
 Object: This tab displays information about the object including its name, when it was
created, when it was last updated, and the Update Sequence Numbers for it. Update
Sequence Numbers are critical components when it comes to handling Active Directory
updates and keep things in check. On this tab, you can also indicate that the object should
be protected from accidental deletion.
 Security: This tab controls the Active Directory rights other objects have to this object.
The Group or user names box lists the objects with rights and the Permissions box
describes the permissions the selected user or group has been granted or denied.
 Dial-in: Decide whether or not users can remotely access the computer, whether by dial-
up or VPN. You can also set callback options for extra security.

12 | P a g e
  Attribute Editor (new tab in Windows Server 2008): In Windows Server 2008, Microsoft
has borrowed from the ADSI Edit utility and added this tab, which allows you to directly
manipulate all of the attributes associated with the selected object.

2.3.1.2. Group Objects

There are a couple of kinds of group objects that can be created in Active Directory. The first
kind, the security distribution group, provides a way to manage access rights for multiple users
(or other objects) all at once. Rather than assign individual permissions to a file share, for
example, you can give rights to the security group and then add and remove group members as
needed. Security groups can also be used as email distribution groups. The second kind of group,
called a distribution group, is used solely as an email distribution list. This article focuses on
security groups.

If you right click a Group object, you'll see the screen shown in Figure E.

Figure E

The Properties page for the Domain Admins group object.

13 | P a g e
Tabs on the Group object include:

 General: This tab displays information about the object. You can view, but not change
Group Scope and Group Type for Groups. You can change all other fields on this page.
 Member: Here you can add and remove group members. By clicking the Add button, you
can add individual objects or select multiple objects.
 Member Of: This tab lists the groups that the object belongs to. You can add or delete
group membership here.
 Managed By: Here you can enter information about who's in charge of the computer. You
can quickly assign someone by selecting their information directly from Active
Directory.
 Object: This tab displays information about the object including its name, when it was
created, when it was last updated, and the Update Sequence Numbers for it. On this tab,
you can also indicate that the object should be protected from accidental deletion.
 Security: This tab controls the Active Directory rights other objects have to this object.
The Group or users box lists the objects with rights and the Permissions box describes
the permissions the selected object has.
 Attribute Editor (new tab in Windows Server 2008): In Windows Server 2008, Microsoft
has borrowed from the ADSI Edit utility and added this tab, which allows you to directly
manipulate all of the attributes associated with the selected object.

2.3.1.3. User Objects

User objects are, well, users! Users, after all, are the foundation of your organization.
14 | P a g e
When you right-click a User object and select Properties, you'll see the screen shown in Figure F.

Figure F

The Properties page for a user object.

Tabs on User objects include:

 General: Displays general descriptive information about the user, including name, email
address and primary telephone number.
 Address: This tab displays postal addresses for the selected user.
 Account: The Account tab holds detailed account information for the user, including the
logon name for the user and, via the Logon Hours button on this tab, account restrictions.
The Account options section gives you a way to force users to change their password at
next logon, prevent them from changing passwords, require a Smart Card for logon, and
enable delegation for the account. You'll also use this page if the account gets locked out
due to logon failures. Microsoft has made is easy to unlock accounts by adding an
"Unlock account" option to this tab.
 Profile: The Profile tab holds fields that specify the paths to any logon scripts the user
needs to access. You can also specify a path to the user's profile and home folder here.

15 | P a g e
  Telephones: This tab serves as a repository for any telephone numbers you have for the
user, including pagers, cell phones, and IP telephone numbers.
 Organization: Don't confuse this tab with Active Directory's Organizational Unit object.
Here, you'll place information about the user's company, including job title, department,
and company name. You can also link the user to his or her manager's Active Directory
object.
 Terminal Services Profile: This tab is similar to the Profile tab, but this only controls
profile information for the Terminal Services session, including home folder location.
 Security: This tab controls the Active Directory rights other objects have to this object.
The Group or users box lists the objects with rights and the Permissions box describes
the permissions of the selected object.
 Remote Control: This tab indicates whether a user's Terminal Server session can be
remotely controlled. You can set options that allow you to establish view-only sessions or
that allow interaction.
 Member Of: This tab lists the groups to which the user belongs. You can add or delete
group membership here.
 Dial-in: On the Dial-in tab, you'll decide whether or not users can remotely access the
network, whether by dial-up or VPN. You can also set callback options for extra security.

2.3.2. Need of Active Directory Domain Services (AD DS)

In small-scale industries or in Small Office/Home Office (SOHO) environments, where there are
not more than 15 to 20 computers, it is recommended that a workgroup network environment
should be created, and each computer should be managed individually. The reason behind this
recommendation is that in small-scale industries or in SOHO networks, it is somewhat
impractical and unrealistic to have a dedicated computer system to work as a server. Moreover,
since the numbers of computers are limited in such setups, it is easier for the administrators to
manage and monitor all computers separately without any additional efforts.

On the other hand, in medium to large scale industries where there are several computers in the
network, it becomes practically impossible for the administrators to manage each computer
individually. In such scenarios, administrators can install Active Directory Domain Services on

16 | P a g e
Windows Server 2008 R2 in order to centrally manage all computers in the network
simultaneously, with least administrative overhead, and right from their own desks.

When Active Directory Domain Services is installed on Windows Server 20008 R2, the
computer is technically known as a Domain Controller, which then becomes capable of
managing, authenticating, and providing services to all client computers that are added as its
members.

After the successful installation of Active Directory Domain Services, administrators can create
domain user accounts right on the domain controller. Domain user accounts can log on to the
domain using any of the available domain client computers. Irrespective of the domain client
computer that a domain user uses to log on to the domain, credentials of the domain user
accounts are always authenticated from the domain controller itself.

2.3.3. Structure of Active directory

An Active Directory structure is an arrangement of information about objects. The objects fall
into two broad categories: resources (e.g., printers) and security principals (user or computer
accounts and groups). Security principals are assigned unique security identifiers (SIDs).

Each object represents a single entity whether a user, a computer, a printer, or a group and its
attributes. Certain objects can contain other objects. An object is uniquely identified by its name
and has a set of attributes the characteristics and information that the object represents defined by
a schema, which also determines the kinds of objects that can be stored in Active Directory.

Structure of active directory is divided in two categories

1. Logical structure
2. Physical structure

2.3.3.1. Logical structure of AD

Logical structure of AD includes forest, tree, domains and organizational unit.

17 | P a g e
The Active Directory framework that holds the objects can be viewed at a number of levels. The
forest, tree, and domain are the logical divisions in an Active Directory network.

Within a deployment, objects are grouped into domains. The objects for a single domain are
stored in a single database (which can be replicated). Domains are identified by their DNS name
structure, the namespace.

I. \Domain

A domain is defined as a logical group of network objects (computers, users, devices) that share
the same active directory database.

A domain is a management boundary. Domains are part of a forest. The first domain in a forest is
known as the forest root domain. In many small and medium organizations (and even some large
ones), you will only find a single domain in a single forest. The forest root domain defines the
default namespace for the forest. For example, if the first domain in a new forest is named
domain1.com, then that is the forest root domain. If you have a business need for a child domain,
for example - a branch office in Chicago, you might name the child domain chi. The FQDN of
the child domain would be chi.domain1.com. You can see that the child domain's name was
prepended forest root domain's name. This is typically how it works. You can have disjoint
namespaces in the same forest, but that's a whole separate can of worms for a different time.

In most cases, you'll want to try and do everything possible to have a single AD domain. It
simplifies management, and modern versions of AD make it very easy to delegate control based
on OU, which lessens the need for child domains.

II. Tree

A tree is a collection of one or more domains and domain trees in a contiguous namespace,
linked in a transitive trust hierarchy.

III. Forest

18 | P a g e
At the top of the structure is the forest. A forest is a collection of trees that share a common
global catalog, directory schema, logical structure, and directory configuration. The forest
represents the security boundary within which users, computers, groups, and other objects are
accessible.

A forest is a security boundary. Objects in separate forests are not able to interact with each
other, unless the administrators of each separate forest create a trust between them. For example,
an Enterprise Administrator account for domain1.com, which is normally the most privileged
account of a forest, will have, no permissions at all in a second forest named domain2.com, even
if those forests exist within the same LAN, unless there is a trust in place.

If you have multiple disjoint business units or have the need for separate security boundaries,
you need multiple forests.

IV. Organizational units

The objects held within a domain can be grouped into Organizational Units (OUs). OUs can
provide hierarchy to a domain, ease its administration, and can resemble the organization's
structure in managerial or geographical terms. OUs can contain other OUs domains are
containers in this sense. Microsoft recommends using OUs rather than domains for structure and
to simplify the implementation of policies and administration. The OU is the recommended level
at which to apply group policies, which are Active Directory objects formally named Group
Policy Objects (GPOs), although policies can also be applied to domains or sites (see below).
The OU is the level at which administrative powers are commonly delegated, but delegation can
be performed on individual objects or attributes as well.

Organizational Units are an arrangement for the administrator and do not function as containers;
the underlying domain is the true container. It is not possible, for example, to create user
accounts with an identical username (sAMAccountName) in separate OUs, such as "fred.staff-
ou.domain" and "fred.student-ou.domain", where "staff-ou" and "student-ou" are the OUs. This
is so because sAMAccountName, a user object attribute, must be unique within the domain.

19 | P a g e
However, two users in different OUs can have the same Common Name (CN), the name under
which they are stored in the directory itself.

Because duplicate usernames cannot exist within a domain, account name generation poses a
significant challenge for large organizations that cannot be easily subdivided into separate
domains, such as students in a public school system or university who must be able to use any
computer across the network.

2.3.3.2. Physical structure of AD

Physical structure of AD includes site and domain controller.

I. Site
Sites in Active Directory represent the physical structure, or topology, of your network. Active Directory

uses topology information, stored as site and site link objects in the directory, to build the most efficient

replication topology. You use Active Directory Sites and Services to define sites and site links. A site is a

set of well-connected subnets. Sites differ from domains; sites represent the physical structure of your

network, while domains represent the logical structure of your organization.

In Active Directory, a site is a set of computers well-connected by a high-speed network, such as a local

area network (LAN). All computers within the same site typically reside in the same building, or on the

same campus network. A single site consists of one or more Internet Protocol (IP) subnets. Subnets are

subdivisions of an IP network, with each subnet possessing its own unique network address. A subnet

address groups neighboring computers in much the same way that postal codes group neighboring postal

addresses.

II. Domain controller

A domain controller is a computer running Microsoft Windows Server 2008 that stores a replica
of the domain directory.

20 | P a g e
A domain controller (DC) is a server that handles all the security requests from other computers
and servers within the Windows Server domain. Security requests include requests to log in to
another server and checking permissions for various functions that need to be performed (e.g.,
accessing a file folder on a server or modifying a file within a folder). The domain controller
originated in Windows NT and managed the access to various resources granted to users and
other servers through the use of a username and password. A domain controller (DC) is a server
that responds to security authentication requests (logging in, checking permissions, etc.) within
the Windows Server domain. A domain is a concept introduced in Windows NT whereby a user
may be granted access to a number of computer resources with the use of a single username and
password combination.
Having more than one domain controller in a domain provides fault tolerance. If one domain
controller is offline, another domain controller can provide all of the required functions, such as
recording changes to the Active Directory service. Domain controllers manage all aspects of
users. Domain interaction, such as locating Active Directory objects and validating user logon
attempts. Because a domain may contain one or more domain controllers, and domain controllers
perform various key functions, the placement of domain controllers is an important task in the
implementation of Active Directory.
In Windows NT, there was a primary domain controller and a backup domain controller.
The primary DC focused on domain services only to avoid the possibility of a system slow down
or crash due to over tasking from managing other functionality and security requests. In the event
of a primary DC going down, a backup DC could be promoted and become the primary DC to
keep the rest of the server systems functioning correctly. Since Windows 2000, the need for
primary and backup DCs was nearly eliminated because of the introduction of Active Directory
(AD) and multi-master replication.
Primary Domain Controller, a server in a Windows NT network that maintains a read-write
directory of user accounts and security information. The PDC authenticates usernames and
passwords when members log into the network. Members only have to log into one domain to
access all resources in the network. In a trusted relationship, one domain may gain access to
other domains. In this case, members who log into the first domain will have access to the
resources in the other domains.

21 | P a g e
Backup Domain Controller (BDC) is a computer that has a copy of the user accounts database.
Unlike the accounts database on the Primary Domain Controller (PDC), the BDC database is a
read-only copy. When changes are made to the master accounts database on the PDC, the PDC
pushes the updates down to the BDCs.

Most domains will have at least one BDC, and often there are several BDCs in a domain. These
additional domain controllers exist to provide fault tolerance. If the PDC fails, then it can be
replaced by a BDC. In such circumstances, an administrator promotes a BDC to be the new
PDC. BDCs can also authenticate user logon requests - and take some of the authentication load
from the PDC.

2.4. Trust relationship between two different domains

Trust: A relationship between different domains or forests that allow sharing of resources
between them.

Trust can be transitive or non-transitive.

 Transitive Trust: Trust which can be extended to other domains in the forests.

 Non- Transitive Trust: Trust which cannot be extended to other domains in the
forests, it is only between the two domains of different forests.

2.4.1. Types of Trusts

There are several different types of trusts in Windows Server 2003/2008. These are listed below:

 Shortcut trust: A shortcut trust is used to improve user logon times between two domains
which are logically distant from each other in the Active Directory hierarchy. This trust is
created manually and is transitive. It can also be either one-way or two-way.

 External trust: An external trust is a trust created manually between domains in two
separate forests or between a Windows Server 2008 domain and a domain running Windows
NT 4.0 or earlier. External trusts are not transitive and can be either one-way or two-way.

22 | P a g e
 Realm trust: A realm trust is a trust created manually between a Windows Server domain
and domain running a non-Microsoft implementation of Kerberos, e.g. UNIX. This trust can
be either transitive, non-transitive, one-way or two-way.

 Tree-root trust: A tree-root trust is created automatically between a new tree and its root
domain. This trust is transitive and two-way by default.

 Parent-child trust: A parent-child trust is created automatically between a child and its
parent domain. This trust is transitive and two-way by default.

 Forest trust: A forest trust is created manually between two Windows Server 2008 forests.
The trust allows all domains in one forest to trust all domains in another forest, however a
forest trust is not transitive across three or more forests. This trust can be either one-way or
two way. Both forests must also be configured at the Windows Server 2003 functional level.

As well as manually creating trusts you can also configure the scope of authentication between
two domains. You can either allow domain-wide authentication where every computer in the
domain is trusted, or you can use selective authentication where only a selected number of
computers are trusted. If you apply selective authentication to a trust, then you will need to
manually configure which users in the trusted domain can authenticate with specific computers
in the trusting domain. Each user or group can be added to the relevant computers’ Access
Control Lists, which can be configured with the “Allowed to Authenticate” permission.

2.4.2. Direction of Trust

 One-way Trust: Network A trusts network B, and then network B can access network A
only.
 Two-way Trust: Network A trusts network B, and vice versa, then both networks A and B
can access each other.

23 | P a g e