Active Directory Trusts
Trusts in Active Directory create the pathways for authentication to occur. They are used to link Active Directory domains to each other and also link Active Directory domains to non Microsoft systems.
In order to share resources between two domains, there must a trust or trusts connecting the two domains. Trusts do not provide access they only create a pathway to the destination. Think of trusts like roads: if you need to get to a house and there is a road between you and the house, you can drive to the destination. If the house is locked you won’t be able get in unless you have the key. The same applies with trusts: you need the path to the resource via a trust and permission to access the resource.
Trust direction (One-way or two)
Trusts can be one-way or two-way. If the trust is two-way, then the domain on either side can access the other side. If the trust is one-way, the terminology used to describe the trust will usually be “Domain A trusts domain B.” This means that domain A is the trusting domain and domain B will be the trusted domain. For a user in a certain domain to access a resource in another domain, the user needs to be in the trusted domain.
A transitive trust is when a trust can be extended outside of the two domains in which it was created. A domain connected via a transitive trust can thus access any other domain when there is a path of transitive trusts between that domain and the target domain.
A non-transitive trust is a trust that will not extend past the domains it was created with. If domain A was connected to domain B and domain B connected to domain C using non-transitive trusts the following would occur. Domain A and domain B would be able to access each other. Domain B could access domain C. Domain A, however, could not access domain C. Even though the domains are indirectly connected, since the trust is non-transitive the connection will stop once it gets to domain B. In order for domain A and domain C to communicate using non-transitive trust you would need to create another trust between domain A and domain C. Think of it like having to catch two buses to get to your destination but only having one bus ticket. Transitive and non-transitive trusts will work together. When using both, the pathway through the network will simply stop as soon as a non-transitive trust is travelled over.
Parent child trust
When you create a child domain, a transitive trust will automatically be created between the parent and child domain that is transitive.
When you create a new tree in the forest, a tree trust will be created automatically between the root domain (the first domain created in the forest) and the new tree. Each new tree will have a tree trust created between that tree and the root domain. These trusts are transitive and essentially the same as the transitive trusts that link parent and child domains.
If you have two domains that communicate with each other on a regular basis you can create a shortcut trust. This is the same as a transitive trust but is manually created by an administrator to reduce the number of trusts a user needs to travel over to get from one domain to another.
A forest trust links two Active Directory forests together. These are created manually by an administrator and are transitive. They essentially work the same as the other trusts except they connect forests together. In order to create this trust, both forests must be at the Windows Server 2003 forest functional level or higher.
A realm trust is used to connect Active Directory with Kerberos V5 realm on a non-Windows system like Unix. In order to create a realm trust, the domain must be at the Windows Server 2003 functional level or higher. These can be transitive or non-transitive, one-way or two.
An external trust is an old one-way trust that is used to connect to systems like Windows NT4. To make them two-way, you can create one trust in each direction. They are non-transitive. They can also be used when it is not possible to create a forest trust, e.g., one or both forest functional levels are not high enough.
When creating a forest trust you have the option to use selective or forest-wide authentication. Certain resources on the network will be open to anyone. These include authenticating from a domain controller. If you use selective authentication you will need to specify which resources the users will have access to. This gives the administrator a lot more control. This setting should be used when creating a forest trust between your company and an external company.
User accounts have an area in them called Sid history. When a user account is migrated from one domain to another, Sid history contains the Sid from the old domain. Using Sid history means the user can access resources when permissions were defined using the old Sid. Windows Server 2003 and above will remove Sid history when travelling over a trust. This is done for security reasons and can be disabled.
To make changes to trusts in Active Directory, open Active Directory Domain and Trusts from administrative tools. This will show all the domains in the forest and also any trusts for those domains, manually created trusts or automatically created trusts. To create a new trust, open the properties for one of the domains and select the tab, “trusts.” At the bottom of the trust tab select the option, “new trust,” to launch the trust wizard.
The trust wizard will in most cases detect the type of trust that you want. If it fails to detect the other side, there may be a DNS issue or firewall issue. In this case you can manually select which trust you want to create. In order to create the trust on the other end, you will be asked for a username and password. If you don’t have this, an administrator on the other side will need to run the wizard on the other side. In some cases, a shared password needs to be agreed upon and entered on each side in order to create the trust.
If you create a forest trust using selective authentication, users traveling over this forest trust will not be able to authenticate from a domain controller by default. In order to allow them to authenticate, they need to be given permissions. To do this, open “Active Directory Users and Computers.” For the option to appear you need to go to “view” and make sure “advanced features” is enabled. To enable access, open the security for the domain controller and ensure that the user has the permission “allowed to authenticate.”