Trust Relationships

Trust Relationships

Rating:

Trust is a logical relationship between two domains, which allows the sharing of resources between them. The trust relationship involves two entities, i.e., a trusting domain and a trusted domain. The trusted domain can use the resources of the trusting domain. The trust relationship in Windows 2003 can be configured as follows:

• Trusts can be created explicitly (manually) or implicitly (automatically).


• They can be either bound by the domain in the trust relationship (nontransitive) or not bound by the domains in the trust relationship (transitive). A transitive trust allows implicit trusts between domains. For example, if Domain A trusts Domain B and Domain B trusts Domain C, then Domain A implicitly trusts Domain C.


• They can be one-way or two-way. In a one-way trust, the trusted domain can use the resources of the trusting domain. In this trust, the trusting domain cannot use the resources in the trusted domain. On the other hand, in a two-way trust, both domains involved in the relationship can use the resources of each other.

In a trust relationship, the domains involved in a trust allow pass-through authentication where the trusting domain honors the logon authentication of the trusted domain.

Protocols

In a Windows 2003 trust environment, the following protocols are used to authenticate users and applications:

• Kerberos version 5: This is the default protocol for computers running Windows Server 2003.


• NTLM: If any computer in the environment does not support Kerberos, the NTLM protocol is used.

Types of Trusts

Windows 2003 operating systems support six types of trust relationships:

• Tree-root trust: The tree-root trust is a two-way transitive trust. It is established implicitly (automatically) when a new tree root domain is added to a forest.


• Parent-child trust: The parent-child trust is a two-way transitive trust. It is established implicitly when a child domain is added to a tree.


• Shortcut trust: Often referred to as a cross-link trust, the shortcut trust is a transitive trust, which can be one-way or two-way. This trust is explicitly (manually) created by administrators between two domains in a same forest to improve a user's logon time. This trust is extremely useful in case two domain trees separate the domains.


• Realm trust: The realm trust is used to provide interoperability between Windows Server 2003 and any other network environment that is using Kerberos version 5. It is created explicitly by system administrators and can be configured as transitive or nontransitive and one-way or two-way.


• External trust: The external trust is a nontransitive trust explicitly created between Windows Server 2003 in different forests or between a Windows Server 2003 domain and a domain whose domain controller is running Windows NT 4.0 or earlier. This trust can be configured as one-way or two-way. The external trust provides backward compatibility with the Windows NT environment. This trust is useful for managing communication between the domains located in different forests that are not joined by forest trusts.


• Forest trust: The forest trust is a two-way transitive trust created between the two forest root domains. It is created explicitly by system administrators. It allows all authentication requests made from one forest to reach the other forest. Forest trust simplifies management, as it reduces the number of external trusts necessary to share resources between the two forests.
  
  Note: Forest trusts are transitive between two forests only. For example, if a forest trust is configured between ForestA and ForestB, and a forest trust is created between ForestB and ForestC, ForestA will not have an implicit trust with ForestC.

Rating: