Establishing Trust Relationships

Your distributed security plan needs to take into consideration the proposed structure of your domains, trees of domains, forests, and non–Windows 2000 Servers. Although Windows 2000 establishes default trust relationships automatically, your plan needs to address what domains need to be part of the domain forest and what domains might require explicit trusts for your network.

For Windows 2000 computers in the same forest, account authentication between domains is enabled by two-way, transitive trusts. The transitive trust relationship is automatically established when a new domain is joined to a domain tree. A trust relationship is defined by a secret key that is shared by both domains and that gets updated on a regular basis. Trust relationships are used by the Kerberos v5 authentication when clients and servers are in separate domains in the forest. The trust secret key is used by the Kerberos service to create a referral ticket to the trusting domain. NTLM authentication also uses trust relationships for pass-through authentication. Pass-through authentication uses the trust link secret key to establish a secure channel between domains. In Windows 2000, NTLM authentication also supports transitive trust if the domains are in native mode.