Tip

Can you trust Active Directory's trust relationships?

One of the larger improvements in Active Directory over its predecessor NT4 is the way in which AD manages trust relationships in a multi-domain environment.

In Windows 2000 and Windows Server 2003 Active Directory, you have certain trust relationships that are enabled by default and created automatically: a two-way transitive trust relationship between a parent domain and all child domains that are created beneath it, and a two-way transitive trust between the root domains of multiple domain trees within a single forest. A two-way trust relationship means that users in Domain A can access resources in Domain B using the same trust relationship that allows users in Domain B to access resources in Domain A. This greatly simplifies matters compared to NT4, where you needed to create and manage a separate trust relationship (a one-way trust) in each direction if you needed to configure access on both sides of the trust. A transitive trust relationship means that if Domain A trusts Domain B and Domain B trusts Domain C, then an implicit trust relationship exists automatically between Domain A and Domain C; there's no need to create a third trust relationship manually. So if an Active Directory domain has numerous child domains, all of those child domains will have implicit trust relationships with each other by virtue of the fact that they each have a trust relationship with that single parent domain. Likewise, in a forest containing multiple domain trees, all child domains

    Requires Free Membership to View

in each domain tree will be able to access resources in other trees because of the transitive nature of the trust that exists by default between the root domains of each domain tree.

Windows 2000 and Windows Server 2003 differ, however, in how they handle trust relationships between separate forests. The only type of trust relationship that you can create between two Windows 2000 forests is a one-way non-transitive trust between a single domain in Forest A and a single domain in Forest B. As you might imagine, this is the total opposite of the default trust relationships established between domains in a single forest. A non-transitive trust means that only the two domains that are explicitly defined in the trust relationship will be able to access one another's resources; if you need to access resources in other domains across the forest boundary, you'll need to set up additional trust relationships to accommodate this. And a one-way trust means that access will only flow in a single direction: if Domain B is trusted by Domain A, then users in Domain B will be able to access resources in Domain A, but the reverse will not apply – users in Domain A will not be able to get to resources in Domain B without creating a one-way trust in the opposite direction (where Domain A is trusted by Domain B).

Windows Server 2003 improves on this quite a bit by introducing the cross-forest trust. This advanced feature of Active Directory is only available if both forests are at the Windows Server 2003 forest functional level, which means that all domain controllers in all domains in both forests are running Windows Server 2003 and you've manually changed to the new forest functional level. Cross-forest trusts are transitive, which means that every domain in Forest A will have an implicit trust relationship with every domain in Forest B. What transitivity does not mean for cross-forest trusts (and this often causes confusion) is this: if you have a cross-forest trust between Forest A and Forest B, and a second cross-forest trust between Forest B and Forest C, a trust relationship does not exist between Forest A and Forest C. You'd need to create a second cross-forest trust between Forest A and Forest C to allow this to happen. Cross-forest trusts can be either one-way or two-way, and you'll establish the trust relationship between the forest root domain in each forest.

Laura E. Hunter (CISSP, MCSE: Security, MCDBA, Microsoft MVP) is a senior IT specialist with the University of Pennsylvania, where she provides network planning, implementation, and troubleshooting services for business units and schools within the university. Hunter is a two-time recipient of the prestigious Microsoft "Most Valued Professional" award in the area of Windows Server-Networking. She is the author of the Active Directory Field Guide (APress Publishing). You can contact her at laurahcomputing@gmail.com.

This was first published in July 2005

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.