A trust is a relationship, which you establish between domains, that makes it possible for users in one domain to be authenticated by a domain controller in the other domain.
Trusts in Windows NT
In the Windows NT 4.0 operating system, trusts are limited to two domains, and the trust relationship is nontransitive and one-way. In the following illustration, the nontransitive, one-way trust is shown by the straight arrow pointing to the trusted domain.
Trusts in Windows 2000 Server, Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 operating systems
All trusts in Windows 2000 Server, Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 forests are transitive, two-way trusts. Therefore, both domains in a trust relationship are trusted. As shown in the following illustration, this means that if Domain A trusts Domain B and Domain B trusts Domain C, users from Domain C can access resources in Domain A (when they are assigned the proper permissions). Only members of the Domain Admins group can manage trust relationships.
A domain controller running Windows Server 2008 or Windows Server 2008 R2 authenticates users and applications using one of two protocols: the Kerberos version 5 (V5) protocol or NTLM. The Kerberos V5 protocol is the default protocol for computers running Windows 2000, Windows XP Professional, Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2. If any computer in a transaction does not support the Kerberos V5 protocol, the NTLM protocol is used.
Trusted domain objects
Trusted domain objects (TDOs) are objects that represent each trust relationship within a particular domain. Each time that a trust is established, a unique TDO is created and stored in its domain (in the System container). Attributes such as trust transitivity, type, and the reciprocal domain names are represented in the TDO.
Forest trust TDOs store additional attributes to identify all the trusted namespaces from its partner forest. These attributes include domain tree names, user principal name (UPN) suffixes, service principal name (SPN) suffixes, and security identifier (SID) namespaces.
You can use the New Trust Wizard or the Netdom command-line tool to create four types of trusts: external trusts, realm trusts, forest trusts, and shortcut trusts. The following table describes these trust types.
|External||Nontransitive||One-way or two-way||Use external trusts to provide access to resources that are located on a Windows NT 4.0 domain or a domain that is located in a separate forest that is not joined by a forest trust.|
|Realm||Transitive or nontransitive||One-way or two-way||Use realm trusts to form a trust relationship between a non-Windows Kerberos realm and a Windows Server 2008 or a Windows Server 2008 R2 domain..|
|Forest||Transitive||One-way or two-way||Use forest trusts to share resources between forests. If a forest trust is a two-way trust, authentication requests that are made in either forest can reach the other forest..|
|Shortcut||Transitive||One-way or two-way||Use shortcut trusts to improve user logon times between two domains within a Windows Server 2008 or a Windows Server 2008 R2 forest. This is useful when two domains are separated by two domain trees..|
When you create external trusts, shortcut trusts, realm trusts, or forest trusts, you have the option to create each side of the trust separately or both sides of a trust simultaneously.
If you choose to create each side of the trust separately, you must run the New Trust Wizard twice—once for each domain. When you create trusts using the method, you must supply the same trust password for each domain. As a security best practice, all trust passwords should be strong passwords.
If you choose to create both sides of the trust simultaneously, you run the New Trust Wizard once. When you choose this option, a strong trust password is automatically generated for you. You must have the appropriate administrative credentials for the domains between which you are creating the trust.
The trust type and its assigned direction affect the trust path that is used for authentication. A trust path is a series of trust relationships that authentication requests must follow between domains. Before a user can access a resource in another domain, the security system on domain controllers running Windows Server 2008 or Windows Server 2008 R2 must determine whether the trusting domain (the domain that contains the resource that the user is trying to access) has a trust relationship with the trusted domain (the user’s logon domain). To determine this, the security system computes the trust path between a domain controller in the trusting domain and a domain controller in the trusted domain. In the following illustration, the trust path is indicated by an arrow that shows the direction of the trust.
All domain trust relationships have only two domains in the relationship: the trusting domain and the trusted domain.
A one-way trust is a unidirectional authentication path that is created between two domains. This means that in a one-way trust between Domain A and Domain B, users in Domain A can access resources in Domain B. However, users in Domain B cannot access resources in Domain A. Some one-way trusts can be either a nontransitive trust or a transitive trust, depending on the type of trust that is created.
All domain trusts in a Windows Server 2008 or a Windows Server 2008 R2 forest are two-way, transitive trusts. When a new child domain is created, a two-way, transitive trust is automatically created between the new child domain and the parent domain. In a two-way trust, Domain A trusts Domain B and Domain B trusts Domain A. This means that authentication requests can be passed between the two domains in both directions. Some two-way relationships can be either nontransitive or transitive, depending on the type of trust that is created.
Transitivity determines whether a trust can be extended outside the two domains between which the trust was formed. You can use a transitive trust to extend trust relationships with other domains. You can use a nontransitive trust to deny trust relationships with other domains.
Each time that you create a new domain in a forest, a two-way, transitive trust relationship is automatically created between the new domain and its parent domain. If child domains are added to the new domain, the trust path flows upward through the domain hierarchy, extending the initial trust path that is created between the new domain and its parent domain.
Transitive trust relationships flow upward through a domain tree as it is formed, creating transitive trusts between all domains in the domain tree.
Authentication requests follow these trust paths. Therefore, accounts from any domain in the forest can be authenticated at any other domain in the forest. With a single logon process, accounts with the proper permissions can access resources in any domain in the forest.
In addition to the default transitive trusts that are established in a Windows Server 2008 or Windows Server 2008 R2 forest, by using the New Trust Wizard you can manually create the following transitive trusts:
Shortcut trust: A transitive trust between a domain in the same domain tree or forest that shortens the trust path in a large and complex domain tree or forest.
Forest trust: A transitive trust between a forest root domain and a second forest root domain.
Realm trust: A transitive trust between an Active Directory domain and a Kerberos V5 realm
The following illustration shows a two-way, transitive trust relationship between the Domain A tree and the Domain 1 tree. All domains in the Domain A tree and all domains in the Domain 1 tree have transitive trust relationships by default. As a result, users in the Domain A tree can access resources in domains in the Domain 1 tree, and users in the Domain 1 tree can access resources in the Domain A tree when the proper permissions are assigned at the resource.
A nontransitive trust is restricted by the two domains in the trust relationship. It does not flow to any other domains in the forest. A nontransitive trust can be a two-way trust or a one-way trust. Nontransitive trusts are one-way by default, although you can also create a two-way relationship by creating two one-way trusts.
In summary, nontransitive domain trusts are the only form of trust relationship that is possible between the following:
A Windows Server 2008 or a Windows Server 2008 R2 domain and a Windows NT domain
A Windows Server 2008 or a Windows Server 2008 R2 domain in one forest and a domain in another forest (when the forests are not joined by a forest trust)
- You can use the New Trust Wizard to manually create the following nontransitive trusts:
External trust: A nontransitive trust between a Windows Server 2008 or a Windows Server 2008 R2 domain and a Windows NT domain or a Windows 2000 domain, Windows Server 2003 domain, Windows Server 2008, or a Windows Server 2008 R2 domain in another forest.
Realm trust: A nontransitive trust between an Active Directory domain and a Kerberos version 5 (V5) realm.
When to create an external trust:
You can create an external trust to form a one-way or two-way, nontransitive trust with domains that are outside your forest. External trusts are sometimes necessary when users need access to resources in a Windows NT 4.0 domain or in a domain that is located in a separate forest that is not joined by a forest trust, as shown in the following illustration.
When you establish a trust between a domain in a particular forest and a domain outside that forest, security principals from the external domain can access resources in the internal domain. Active Directory Domain Services (AD DS) creates a foreign security principal object in the internal domain to represent each security principal from the trusted external domain. These foreign security principals can become members of domain local groups in the internal domain. Domain local groups can have members from domains outside the forest.
Directory objects for foreign security principals are created by AD DS, and they should not be modified manually. You can view foreign security principal objects in the Active Directory Users and Computers snap-in by enabling advanced features. (On the View menu, click Advanced Features.)
When to create a shortcut trust:
Shortcut trusts are one-way or two-way, transitive trusts that administrators can use to optimize the authentication process.
Authentication requests must first travel a trust path between domain trees. In a complex forest this can take time, which you can reduce with shortcut trusts. A trust path is the series of domain trust relationships that authentication requests must traverse between any two domains. Shortcut trusts effectively shorten the path that authentication requests travel between domains that are located in two separate domain trees.
Shortcut trusts are necessary when many users in a domain regularly log on to other domains in a forest. Using the following illustration as an example, you can form a shortcut trust between domain B and domain D, between domain A and domain 1, and so on.
Using one-way trusts
A one-way, shortcut trust that is established between two domains in separate domain trees can reduce the time that is necessary to fulfill authentication requests—but in only one direction. For example, when a one-way, shortcut trust is established between domain A and domain B, authentication requests that are made in domain A to domain B can use the new one-way trust path. However, authentication requests that are made in domain B to domain A must still travel the longer trust path.
Using two-way trusts
A two-way, shortcut trust that is established between two domains in separate domain trees reduces the time that is necessary to fulfill authentication requests that originate in either domain. For example, when a two-way trust is established between domain A and domain B, authentication requests that are made from either domain to the other domain can use the new, two-way trust path.
When to create a realm trust:
You can establish a realm trust between any non-Windows Kerberos version 5 (V5) realm and a Windows Server 2008 or a Windows Server 2008 R2 domain. This trust relationship allows cross-platform interoperability with security services that are based on other versions of the Kerberos V5 protocol, for example, UNIX and MIT implementations. Realm trusts can switch from nontransitive to transitive and back. Realm trusts can also be either one-way or two-way.
Creating a Forest trust between two different Forests:
When to create a forest trust
You can create a forest trust between forest root domains if the forest functional level is Windows Server 2003 or higher. Creating a forest trust between two root domains with a forest functional level of Windows Server 2003 or higher provides a one-way or two-way, transitive trust relationship between every domain in each forest. Forest trusts are useful for application service providers, organizations undergoing mergers or acquisitions, collaborative business extranets, and organizations seeking a solution for administrative autonomy.
Using one-way, forest trusts
A one-way, forest trust between two forests allows members of the trusted forest to use resources that are located in the trusting forest. However, the trust operates in only one direction. For example, when a one-way, forest trust is created between forest A (the trusted forest) and forest B (the trusting forest), members of forest A can access resources that are located in forest B, but members of forest B cannot access resources that are located in forest A, using the same trust.
Using two-way, forest trusts
A two-way, forest trust between two forests allows members from either forest to use resources that are located in the other forest, and domains in each respective forest trust domains in the other forest implicitly. For example, when a two-way, forest trust is established between forest A and forest B, members of forest A can access resources that are located in forest B, and members of forest B can access resources in forest A, using the same trust.
In this example, we are going to create forest trust between two different forests which are:
Let’s assume user David from Forest A needs to access shared resource from Forest B. In this scenario, A trust must be created on Forest A and user David must be given universal group permission to the shared resource on Forest B.
- DNS Servers on both networks are configured to know about each other
- Setup a Stub Zone on each DNS Server, so that any DNS request for resources on the other network will be forwarded to the DNS server in the other network
- Forest functional level must be Windows 2003 and above.
Step 1 :
Create stub zone on DNS Server in Forest A, let’s assume Microsoft.com
1. Go to DNS Manager
2. Go to Forward lookup zone
3. Create a new Zone, select zone type as Stub Zone and also select store the zone in AD
4. In the next screen, how you want zone data replicated as Microsoft.com
5. Next, enter the Zone name as techpeople.com
6. Next, enter the IP address of techpeople.com DNS Server
7. Click next and finish.
8. Verify new stub zone in DNS Manager.
Step 2 :
1. Login to techpeople.com DNS Server and create a stub zone
2. In the zone name tab, enter microsoft.com
3. Enter the ip address of microsoft.com DNS server
4. Click next and Finish.
1. Go to active directory domain and trusts, right click on domain and select raise forest functional level.
2. Make sure Forest functional level is Windows 2003 or later in both forests.
1. On Microsoft.com, go to primary DC and start active directory domain and trust
2. Right Click on Microsoft.com domain and select properties
3. Click on Trusts tab
when we created na.microsoft.com, this trust was already created.
4. In order to create a forest trust between microsoft.com and techpeople.com forest, clcik on new trust. New trust wizard starts
5. Click Next. In the below screen, type techpeople.com
6. Next, Here you select the trust type. A forest trust, the one we are creating, creates a transitive trust between all users on both forests specified by both forest root domains. The other option is to create an external trust between just the two domains; external trusts are non-transitive. Select Forest Trust and then select Next.
7. Next, specify the direction of the trust. A two-way trust means users in both domains can be authenticated on the other domain. One-way means that one domain’s users can be authenticated on the other domain, but not the other way around. One-way trusts can be established as incoming or outgoing, meaning that they can be setup one-way for the domain you are setting up the trust on currently or the other domain. Select Two-way and select Next.
8. Next, you can set up the trust on this domain or both domains involved in the trust. Select Both this domain and the specified domain. You can only do this if you have credentials for the other domain. If you do not have credentials for the other domain, you would have to get an administrator for the other domain to create the other side of the trust. Select Next.
9. Input administrative credentials for the other domain to automatically establish the other side of the trust on that domain. Select Next when finished.
10. Next, specify whether local forest users will automatically be authenticated for all resources on the other domain or selectively be authenticated for resources on the other domain. Forest-wide authentication is generally recommended for users within the same organization. Select Forest-wide authentication and select Next. The next screen is similar but it is for the specified forest. Again, Select Forest-wide authentication and select Next.
11. Review selections and click Next.
12. If your trust was created successfully, you will see this next screen. There are a few reasons that you may not be able to set up a trust. DNS between the domains may not be set up properly; make sure that name servers on one domain can access servers on the other domain. Make sure you have the correct administrator credentials for the other domain.
13. The next few screens of the wizard will ask if you want to confirm both sides of the trust. Select Yes for both and select Next.
14. This is the last screen of the wizard. Select Finish after verifying the changes.
The new trust now appears under Trusts in the properties of Microsoft.com
15. On the domain controller of the other domain, you can verify that the trust was created by going toAdministrative Tools -> Active Directory Domains and Trusts, right-click the domain, and select the Trusts tab under Properties. The other side of the trust was created automatically because we selected the Both this domain and the specified domain option earlier.
Create an universal group on Microsoft.com domain and add some users who want to access resource on techpeople.com
On techpeople.com, add the above universal group into a Domain Local sales group . We can only add users from other forest only to a Domain Local security group.
Now, Users in Microsoft domain will be able to access resources in Techpeople.com.