Learn AD in 15 Minutes a Week: Active Directory Domains and Trusts MMC Page 3

By Jason Zandri (Send Email)
Posted Apr 18, 2003


A Review of Trees

By definition, a Windows 2000 Active Directory domain tree is a set of Windows 2000 domains connected together via a two-way transitive trust, sharing a common schema, configuration, and global catalog.

In order to be considered a true Windows 2000 domain tree, the domains must form a contiguous hierarchical namespace with one domain being the domain root.

The first Windows 2000 domain installed in a tree is considered the root domain of that tree. It would only be considered the forest root domain if it was also the first domain in the forest.

Let's say zandri.net is the first Windows 2000 domain in a pristine forest. This would make zandri.net the first Windows 2000 domain installed in the forest and as such it would be considered as the forest root domain. Since it is also the first Windows 2000 domain installed in this tree, it is considered to be the root domain of the zandri.net tree.

[NOTES FROM THE FIELD] - A single domain, where there is but a single domain in a tree is called a stand alone domain tree. That single tree constitutes a forest of one tree.

After the zandri.net domain has been deployed, a child domain called northamerica.zandri.net is then created as well as southamerica.zandri.net. Since these two new domains are children of the parent, zandri.net, they would be located below it in the hierarchy and it would look as it does below with the zandri.net domain at the top.

If we were to then create a new domain tree called gunderville.com in the same forest and two child domains, the higher part of the forest structure near the root domain would look something like this:

The root of this forest is zandri.net. The root of the zandri.net tree is zandri.net. The root of the gunderville.com tree is gunderville.com.

A Review of Trust Relationships

All of the domains in a domain tree and all of the trees in a single forest have the connectivity benefit of the two-way, transitive trust relationship, which is the default trust relationship between Windows 2000 domains. A two-way, transitive trust by definition is really the combination of a transitive trust and a two-way trust. This complete trust between all domains in an Active Directory domain hierarchy helps to form the forest as a single unit via its common schema, configuration, and global catalog.

Transitive trusts are a relationship that extends from one domain to the next, to the next, and so on. In the above example, northamerica.zandri.net indirectly trusts southamerica.zandri.net because the trust relationship travels from northamerica.zandri.net to zandri.net to southamerica.zandri.net. Because northamerica.zandri.net to zandri.net is a direct trust and zandri.net to southamerica.zandri.net is a direct trust and all trusts in a Windows 2000 Active Directory are transitive by default, northamerica.zandri.net indirectly trusts southamerica.zandri.net.

This is also the same relationship of northamerica.zandri.net to southamerica.gunderville.com.

Since they are all in the same forest and connected by a common schema, configuration, and global catalog and the fact that all Windows 2000 Active Directory are transitive by default, the following is true:

Since northamerica.zandri.net directly trusts zandri.net and zandri.net directly trusts gunderville.com and gunderville.com directly trusts southamerica.gunderville.com then northamerica.zandri.net indirectly trusts southamerica.gunderville.com.

A two-way trust can be simply looked at as two one way trusts between two domains. When zandri.net trusts northamerica.zandri.net this is a one way trust. When northamerica.zandri.net trusts zandri.net this is another one way trust. It is considered two way because each trust the other in the same reverse manner that they are trusted.

This would also be where zandri.net trusts gunderville.com and gunderville.com trusts zandri.net. Since these two domain trees are in the same forest, they each trust the other and all of their child domains. (two way and transitively.)

Again, all of the domains in a domain tree and all of the trees in a single forest have the connectivity benefit of the two-way, transitive trust relationships, which are the default trust relationships between Windows 2000 domains.

This IS NOT true of domains and domain trees OUTSIDE of the forest. (This is referred to as an External trust.)

For example, if zandri.net were corroborating a project with 2000trainers.com, where users in the 2000trainers.com Windows 2000 domain needed access to resources within the zandri.net Windows 2000 domain, the domain administrator for zandri.net would have to manually set up a trust relationship with 2000trainers.com where zandri.net trusted 2000trainers.com so that users in 2000trainers.com could gain access to the resources they needed. This would not give users in zandri.net access to any resources in 2000trainers.com, as the manual setup of a one way trust does not automatically allow for the "reverse" one way trust, making 2000trainers.com trust the users of zandri.net

This could be done with the Active Directory Domains and Trusts MMC. You would either log on locally to one of the domain controllers in zandri.net or from any workstation that had the tools installed with a domain administrator account (or equivalent) and select the domain and choose properties.

[NOTES FROM THE FIELD] - When you are logged in to a workstation you will need to connect to a domain controller to manage these trusts.

Once you select Properties and choose the Trusts tab you can configure domains that are trusted by this domain in the upper box and domains that trust this domain in the lower box.

For our scenario we will need to Add 2000trainers.com to our Domains trusted by this domain list.

Once we select Add, the Add Trusted Domain box will appear and we can enter 2000trainers.com and the needed password to add this domain to our trusted list.

Also, the trust is in no way transitive. None of the resources in the child domains in the zandri.net tree nor any of the domains of the gunderville.com tree are available to users of 2000trainers.com nor any of the users of forums.2000trainers.com. Even though 2000trainers.com and forums.2000trainers.com share a common schema, configuration, and global catalog in the 2000trainers.com Active Directory only the trusted domain of 2000trainers.com has access to the specified resources and only in the zandri.net domain.

Page 3 of 4


Comment and Contribute

Your name/nickname

Your email

(Maximum characters: 1200). You have characters left.