Friday, August 28, 2009

Domain Trust – part II

Part I covered the basic concept of Domain Trust. Now it’s time to go over the different Trust types.

Two-way trust is the most common type and the easiest to understand.
In a Windows forest any 2 domains trust each other both ways and they are transitive trusts. That said, any new child domain you create within the forest is automatically trusted and trusting.
The result of a Two-way trust is that any authentication requests can be passed between the two domains, users from one domain can access resources in domain B if they have the permissions to do so without any additional login (based on the local domain authentication they have already done in their own domain).
Two-way trust within a forest root or domain tree is always transitive. (‘ll get there in a minute)

One-way trust uses the same authentication concept but unlike the Two-way trust, here one domain access the other domain’s resources but do not allow that other domain to use its own resources. One-way trust relationships are always nontransitive.
One-way trust can be established with another forest (Win2000\2003\2008), WinNT domain or Kerberos Realms (aka non-Windows environments)

Transitive trusts exist between 2 domains in the same forest. In Transitive trust the trust can be extended outside of the two domains. That means that if domain A trust domain B and domain B trust domain C, domain A will also trust domain C. simple.

There is however a way to go around and create other types of transitive trusts:
Shortcut trust - used to shorten the trust path in a large and complex environment, connect two domains in the same domain tree or forest. Like the name indicate, it doesn’t create anything new but shorten the way the user has to go through getting to the destination domain.
Forest trust – transitive trust between two forest root domains.
Realm trust - transitive trust between an AD domain and a non-windows environment using Kerberos V5 realms

Nontransitive trust is a trust restricted only to the two participating domains. This trust cannot flow beyond these two domains boarders. A nontransitive trust is always One-way but it can be tweaked by creating 2 One-way trusts that make it an actual two-way trust.
Nontransitive trust is used when connecting WinNT domains and for a forest trust to one out-of-the-forest domain when you do not want the entire 2nd forest to be trusted.

There are 2 types of nontransitive trust:
External trust - created between a Windows 2000\2003\2008 domain and a Windows NT domain or a Windows domain in another forest.
Realm trust - nontransitive trust between an AD domain and a non-windows environment using Kerberos V5 realms

In part III I’ll show some Trust related troubleshooting skills that every admin should have

No comments:

Post a Comment