Domain Trust

A domain trust is a useful way to allow users from a trusted domain to access services in a trusting domain. If all users and services can be managed in a single enterprise domain, there is no need for trust relationships. However, there are several advantages to creating separate domains. Domains are a useful way to separate the scope of responsibility of the domain administrators. Each administrator is responsible for the users and resources within a domain. Domains are also the scope for security policy settings, such as account policies. Most trust relationships in a Windows 2000 forest are implicit two-way transitive trusts that require no planning. It is the external trust relationships to Windows NT 4.0 domains, or other Windows 2000 domains in a separate forest, that need to be mentioned in your plan.

How Trust Relationships Work

All domain trust relationships have only two domains in the relationship: the trusting domain and the trusted domain. A domain trust relationship is characterized by whether it is:

  • One-way

  • Two-way

  • Transitive

  • Nontransitive

A one-way trust is a single trust relationship, where domain A trusts domain B. All one-way relationships are nontransitive. Authentication requests can only be passed from the trusting domain to the trusted domain. This means that if domain A has a one-way trust with domain B and domain B has a one-way trust with domain C, domain A does not have a trust relationship with domain C.

A Windows 2000 domain can establish a one-way trust with:

  • Windows 2000 domains in a different forest

  • Windows NT 4.0 domains

  • MIT Kerberos v5 realms

Since all Windows 2000 domains in a forest are automatically linked by transitive trusts, it is generally not necessary to create one-way trusts between all Windows 2000 domains in the same forest.

All domain trusts within a Windows 2000 forest are two-way transitive trusts. Transitive trusts are always two-way: both domains in the relationship trust each other. Each time you create a new child domain a two-way transitive trust relationship is created between the parent and new child domain. In this way, transitive trust relationships flow upward through the domain tree as it is formed, creating transitive trusts between all domains in the domain tree.

Each time you create a new domain tree in a forest, a two-way transitive trust relationship is created between the forest root domain and the new domain (the root of the new domain tree). In this way, transitive trust relationships flow through all domains in the forest. Authentication requests follow these trust paths, so accounts from any domain in the forest can be authenticated at any other domain in the forest.

You can also explicitly (manually) create transitive trusts between Windows 2000 domains on different branches of the same domain tree or in different trees of a forest. These cross-linked trust relations can be used to shorten the trust path in large and complex domain trees or forests. These explicit trusts need to be provided for in your distributed security plan.

A nontransitive trust is bounded by the two domains in the trust relationship and does not flow to any other domains in the forest. You must explicitly create nontransitive trusts. Nontransitive trusts are one-way by default, although you can also create a two-way relationship by creating two one-way trusts. All trust relationships established between domains that are not in the same forest are nontransitive.

Transitive trusts can only exist between Windows 2000 domains in the same forest.

In summary, nontransitive domain trusts are the only form of trust relationship possible between:

  • A Windows 2000 domain and a Windows NT domain.

  • A Windows 2000 domain in one forest and a Windows 2000 domain in another forest.

  • A Windows 2000 domain and an MIT Kerberos v5 realm.

Prerequisites for Implementing Trusts

There are no specific prerequisites for trusts except to understand that trusts are links between domains. You need to set up at least two domains before you can define a trust relationship.

How to Implement Trusts

To set up explicit trusts among domains in a forest, open MMC snap-in for Active Directory Domains and Trusts. Right-click a domain and open the property sheet. Select the Trusts tab. This tab allows you to add, edit, or delete trust relationships between the selected domain and others in the same forest.

Considerations About Trusts

Mixed mode domains (where Windows NT 4.0 backup domain controllers are temporarily combined with a Windows 2000 primary domain controller during network upgrades) implement trust relationships in a manner consistent with Windows NT 4.0 domains for Windows NT 4.0 Workstations and Servers. In other words, all trust relationships required for Windows NT 4.0 Workstations and Servers are still needed for mixed mode domains. Native mode domains (where all servers are running Windows 2000) support transitive trust.

Domain administrators of any domain in the forest have the potential to take ownership and modify any information in the Configuration container of Active Directory. These changes will be available and replicate to all domain controllers in the forest. Therefore, for any domain that is joined to the forest, you must consider that the domain administrator of that domain is trusted as an equal to any other domain administrator.

Domains where the domain administrators are not fully or equally trusted can be handled in two ways. The first is to set up an explicit one-way trust (or external trust) to that domain. In this way, users logging on to the suspect domain do not have automatic access to the rest of the forest.

To control this situation with a finer degree of granularity, consider collapsing the resources of the suspect domain into an organizational unit (Active Directory folder) of a domain under the control of a trusted administrator. Remove the separate domain altogether. The administrator of the suspect domain can be delegated only the appropriate degree of control over the computers and local groups that are the administrator's domain resources.