70-240 in 15 minutes a week: Group Policy (Part 2), ASD, and Trusts Page 3

By ServerWatch Staff (Send Email)
Posted Jun 28, 2001

Active Directory Forests and Trust Relationships
As I outlined in previous articles, all domains within an Active Directory forest are capable of accessing one another due to the nature of the trust relationships that are automatically created. A transitive two-way trust relationship exists between every child domain and its parent domain, and transitive two-way trust relationships exist between the roots of all trees. It should be noted that in some cases you will need to create additional trust relationships, both within and external to your forest.
For example, you might have a domain that is still running Windows NT 4, whose users you wish to be able to access a domain in your Active Directory structure. This would require an external trust, which is very similar to the trust relationships that you should be familiar with from NT 4. These trusts are one-way and intransitive, meaning that they can only be used to provide access to a single domain. In the scenario I described above, the trust relationship might look something like the diagram below:

In this particular example, users from the domain NT4DOMAIN would have access to resources in the asia.win2000trainer.com domain only. Of course, a two-way trust could be created between the two, allowing users from asia.win2000trainer.com access to resources in NT4DOMAIN. If users in NT4DOMAIN needed access to resources in all 3 of the win2000trainer.com domains, 3 trust relationships would need to be created at a minimum.

The tool used to create external trust relationships is Active Directory Domains and Trusts. This tool is used to create, manage, and verify trust relationships between domains. Note that the tools will show both internal and external trust relationships that exist. By accessing the properties of a domain, you can view the trust relationships that exist on the Trusts tab, as shown below:

Note that the domain name, relationship (internal/external), and whether the relationship is transitive will appear on this screen. Note that like NT 4, for security purposes external trust relationship information must still be entered in both domains participating. Note that external trust relationships can connect a Windows 2000 domain with NT 4 domains, Windows 2000 domains (from different forests), as well Kerberos v.5 realms.
The second type of trust relationship that can be created is referred to as a shortcut trust relationship. This type of trust is created to shorten the path that needs to be followed for the purpose of authentication. For example, if I had a forest as shown below, getting to china.asia.win2000trainer.com from europe.win2000trainer.com would require crossing 3 trust relationships, as shown below:

If users in europe.win2000trainer.com did need to regularly access resources in china.asia.win2000trainer.com, it might make sense to create a shortcut trust (as shown below) to lessen the number of trust relationships that would need to be traversed. Note that shortcut trusts are two-way transitive trusts, and that they are also created in Active Directory Domains and Trusts.

In order to verify trust relationships, you can use the edit button in Active Directory domain and trusts when a domain in the list is selected:

The will attempt a secure channel query to the other domain, and will return results as to whether it was successfully able to verify the relationship or not. Further to this, another tool that you should be aware of for verifying trust relationships is Netdom.exe, a command-line utility that can be found in the Windows 2000 resource kit.
And here ends yet another week. Next week I'll continue with a look at Kerberos, replication, AD database maintenance, and operations masters' maintenance. Thanks again to everyone who has been supporting the series, and a special thanks to all those who contacted me last week after the newsletter came out. As always, feel free to contact me with your questions and comments, noting that I ask that all technical questions be posted to my message board for the benefit everyone. Until next week, best of luck with your studies. 


Page 3 of 3

Comment and Contribute

Your name/nickname

Your email

(Maximum characters: 1200). You have characters left.