ServerWatch content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.
Active Directory Forests and
Trust Relationships
As I outlined in previous articles, all domains within an Active
Directory forest are capable of accessing one another due to the nature
of the trust relationships that are automatically created. A transitive
two-way trust relationship exists between every child domain and its
parent domain, and transitive two-way trust relationships exist between
the roots of all trees. It should be noted that in some cases you will
need to create additional trust relationships, both within and external
to your forest.
For example, you might have a domain that is still running Windows NT 4,
whose users you wish to be able to access a domain in your Active
Directory structure. This would require an external trust, which is very
similar to the trust relationships that you should be familiar with from
NT 4. These trusts are one-way and intransitive, meaning that they can
only be used to provide access to a single domain. In the scenario I
described above, the trust relationship might look something like the
diagram below:
In this particular example, users from
the domain NT4DOMAIN would have access to resources in the
asia.win2000trainer.com domain only. Of course, a two-way trust could be
created between the two, allowing users from asia.win2000trainer.com
access to resources in NT4DOMAIN. If users in NT4DOMAIN needed access to
resources in all 3 of the win2000trainer.com domains, 3 trust
relationships would need to be created at a minimum.
The tool used to create external trust relationships is Active Directory
Domains and Trusts. This tool is used to create, manage, and verify
trust relationships between domains. Note that the tools will show both
internal and external trust relationships that exist. By accessing the
properties of a domain, you can view the trust relationships that exist
on the Trusts tab, as shown below:
Note that the domain name,
relationship (internal/external), and whether the relationship is
transitive will appear on this screen. Note that like NT 4, for security
purposes external trust relationship information must still be entered
in both domains participating. Note that external trust relationships
can connect a Windows 2000 domain with NT 4 domains, Windows 2000
domains (from different forests), as well Kerberos v.5 realms.
The second type of trust relationship that can be created is referred to
as a shortcut trust relationship. This type of trust is created to
shorten the path that needs to be followed for the purpose of
authentication. For example, if I had a forest as shown below, getting
to china.asia.win2000trainer.com from europe.win2000trainer.com would
require crossing 3 trust relationships, as shown below:
If users in europe.win2000trainer.com
did need to regularly access resources in china.asia.win2000trainer.com,
it might make sense to create a shortcut trust (as shown below) to
lessen the number of trust relationships that would need to be
traversed. Note that shortcut trusts are two-way transitive trusts, and
that they are also created in Active Directory Domains and Trusts.
In order to verify trust
relationships, you can use the edit button in Active Directory domain
and trusts when a domain in the list is selected:
The will attempt a secure channel
query to the other domain, and will return results as to whether it was
successfully able to verify the relationship or not. Further to this,
another tool that you should be aware of for verifying trust
relationships is Netdom.exe, a command-line utility that can be found in
the Windows 2000 resource kit.
And here ends yet another week. Next week I’ll continue with a look at
Kerberos, replication, AD database maintenance, and operations
masters’ maintenance. Thanks again to everyone who has been supporting
the series, and a special thanks to all those who contacted me last week
after the newsletter came out. As always, feel free to contact me with
your questions and comments, noting that I ask that all technical
questions be posted to my message board for the benefit everyone. Until
next week, best of luck with your studies.
