Trust Relationships

Active Directory provides security across multiple domains through interdomain trust relationships. When there are trust relationships between domains, the authentication mechanism for each domain trusts the authentication mechanism for all other trusted domains. If a user or application is authenticated by one domain, its authentication is accepted by all other domains that trust the authenticating domain. Users in a trusted domain have access to resources in the trusting domain, subject to the access controls that are applied in the trusting domain.

Note

"Access to resources" in any discussion of trust relationships always assumes the limitations of access control. Trust relationships allow users and computers to be authenticated (to have their identity verified) by an authentication authority. Access control allows authenticated users to use the resources (files, folders, and virtual containers) that they are authorized to use and prohibits them from using (or even seeing) resources that they are not authorized to use. For more information about resource authorization see "Access Control" in this book.

Transitive and Nontransitive Trust

In Windows NT 3.51 and Windows NT 4.0, trust relationships must be created explicitly in one direction. A two-way trust relationship is established by creating two one-way trust relationships. Domains can be connected by explicit one-way or two-way trust relationships for the purpose of enabling access to resources, but they are not necessarily related in any other way.

In Windows 2000, domains can be joined to a domain tree or forest, and each child domain has an automatic two-way trust relationship with the parent domain. This trust relationship is also transitive. Transitive trust means that the trust relationship extended to one domain is extended automatically to any other domain that is trusted by that domain. Transitive trust is applied automatically for all domains that are members of the domain tree or forest. Therefore, when a grandchild domain is created, the trust relationship between the parent and child domains is accepted by the grandchild domain, and vice versa. For example, if a user account is authenticated by the parent domain, the user has access to resources in the grandchild domain. Similarly, if the user is authenticated by a child domain, the user has access to resources in the parent domain, as well as in the grandparent domain.

The effect of transitive trust in Windows 2000 domains is that there is complete trust between all domains in an Active Directory forest — every domain has a transitive trust relationship with its parent domain, and every tree root domain has a transitive trust relationship with the forest root domain.

Note

In Windows 2000, transitive trust relationships are always two-way trust relationships.

A nontransitive trust relationship can be created between Windows 2000 domains when a transitive trust relationship is not appropriate, but this trust relationship must be created explicitly. It can be created, for example, between two Windows 2000 domains that are not in the same forest.

A trust relationship between a Windows 2000 domain and a Windows NT 4.0 domain is always a nontransitive trust relationship. If one of these domains is an account domain and the other is a resource domain the trust relationship is usually created as a one-way trust relationship. If there are user accounts in both domains, two one-way trust relationships can be created between them.

The trust relationship between two domains — whether one-way or two-way, transitive or nontransitive — is stored as an interdomain trust account object in Active Directory.

For more information about the nature and management of interdomain trust objects, see "Authentication" in this book. For more information about mixed-mode trust relationships, see "Determining Domain Migration Strategies" in the Deployment Planning Guide .

Direction of Trust

In describing trust relationships, arrows illustrate the direction of trust between domains as follows:

• If B is the trusting domain and A is the trusted domain, B-->A indicates that domain B trusts domain A. (The same trust relationship can be illustrated as A<--B, that is, A is trusted by B.)

• When domain B trusts domain A (B-->A), users with accounts in domain A can be authenticated for access to resources in domain B. However, users with accounts in domain B are not trusted to be authenticated for access to resources in domain A.

A hierarchy of Windows 2000 domains is implemented by trust relationships between domains. The direction of the trust relationship between a parent domain and its child domain in Active Directory is two-way (A<---->B), but it has the following restrictions:

• The parent-child relationship between two domains in a domain tree is defined by a subordinate name relationship. For example, noam.reskit.com is a child of reskit.com, but noam.com is not a child of reskit.com. A parent-child trust relationship requires both a parent-child relationship and a direction of trust, as follows: Domain A can be specified as the parent of domain B only if B-->A and B is a subordinate name of A.

• When a new domain joins a domain tree as a child, a parent-child trust relationship is defined automatically that establishes a two-way, transitive trust relationship.

Note

Automatic configuration of replication topology requires that all parent-child trust relationships within the forest are bidirectional and transitive.

The use of two-way, transitive trust relationships reduces management time because it decreases by more than half the number of trust relationships that must be managed, as the diagram in Figure 1.8 illustrates.

Figure 1.9 Mixed Environment of Two Forests and a Windows NT 4.0 Domain

The following conditions are represented in Figure 1.9:

• A.com and D.com are the roots of separate trees in forest 1. The two-way, transitive, tree-root trust between them provides complete trust between all domains in the two trees of forest 1.

• E.D.com uses resources in C.A.com for everyday business operations. To shorten the trust path between the two domains, C.A.com trusts E.D.com directly. This trust relationship serves only the purpose of shortening the trust path for authenticating E.D.com users to use resources in C.A.com. The path is shortened by cutting the number of hops required for authentication from three (E.D.com to D.com, D.com to A.com, and A.com to C.A.com) to one (E.D.com to C.A.com), which increases the speed of authentication.

• G.com is the root of a single tree that makes up forest 2. The two-way, transitive trust relationship between G.com and H.G.com allows both domains to use each others' resources.

• Domain G.com in forest 2 implements an explicit one-way external trust relationship with domain D.com in forest 1; users in domain D.com are trusted to use resources in domain G.com. Because the trust relationship is nontransitive, no other domains in forest 1 have access to resources in G.com, and D.com does not have access to resources in H.G.com.

• Domain F is a Windows NT 4.0 domain that provides support services to the users in E.D.com. This one-way nontransitive trust relationship does not extend to any other domains in forest 1.