Can you trust Active Directory's trust relationships?

In Windows 2000 and Windows Server 2003 Active Directory, you have certain trust relationships that are enabled by default and created automatically: a two-way transitive trust relationship between a parent domain and all child domains that are created beneath it, and a two-way transitive trust between the root domains of multiple domain trees within a single forest. A two-way trust relationship means that users in Domain A can access resources in Domain B using the same trust relationship that allows users in Domain B to access resources in Domain A. This greatly simplifies matters compared to NT4, where you needed to create and manage a separate trust relationship (a one-way trust) in each direction if you needed to configure access on both sides of the trust. A transitive trust relationship means that if Domain A trusts Domain B and Domain B trusts Domain C, then an implicit trust relationship exists automatically between Domain A and Domain C; there's no need to create a third trust relationship manually. So if an Active Directory domain has numerous child domains, all of those child domains will have implicit trust relationships with each other by virtue of the fact that they each have a trust relationship with that single parent domain. Likewise, in a forest containing multiple domain trees, all child domains in each domain tree will be able to access resources in other trees because of the transitive nature of the trust that exists by default between the root domains of each domain tree.

Windows 2000 and Windows Server 2003 differ, however, in how they handle trust relationships between separate forests. The only type of trust relationship that you can create between two Windows 2000 forests is a one-way non-transitive trust between a single domain in Forest A and a single domain in Forest B. As you might imagine, this is the total opposite of the default trust relationships established between domains in a single forest. A non-transitive trust means that only the two domains that are explicitly defined in the trust relationship will be able to access one another's resources; if you need to access resources in other domains across the forest boundary, you'll need to set up additional trust relationships to accommodate this. And a one-way trust means that access will only flow in a single direction: if Domain B is trusted by Domain A, then users in Domain B will be able to access resources in Domain A, but the reverse will not apply – users in Domain A will not be able to get to resources in Domain B without creating a one-way trust in the opposite direction (where Domain A is trusted by Domain B).

Windows Server 2003 improves on this quite a bit by introducing the cross-forest trust. This advanced feature of Active Directory is only available if both forests are at the Windows Server 2003 forest functional level, which means that all domain controllers in all domains in both forests are running Windows Server 2003 and you've manually changed to the new forest functional level. Cross-forest trusts are transitive, which means that every domain in Forest A will have an implicit trust relationship with every domain in Forest B. What transitivity does not mean for cross-forest trusts (and this often causes confusion) is this: if you have a cross-forest trust between Forest A and Forest B, and a second cross-forest trust between Forest B and Forest C, a trust relationship does not exist between Forest A and Forest C. You'd need to create a second cross-forest trust between Forest A and Forest C to allow this to happen. Cross-forest trusts can be either one-way or two-way, and you'll establish the trust relationship between the forest root domain in each forest.

Laura E. Hunter (CISSP, MCSE: Security, MCDBA, Microsoft MVP) is a senior IT specialist with the University of Pennsylvania, where she provides network planning, implementation, and troubleshooting services for business units and schools within the university. Hunter is a two-time recipient of the prestigious Microsoft "Most Valued Professional" award in the area of Windows Server-Networking. She is the author of the Active Directory Field Guide (APress Publishing). You can contact her at laurahcomputing@gmail.com.

Rate this Tip To rate tips, you must be a member of SearchWindowsServer.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Microsoft Active Directory Design and Administration Active Directory database basics: Performing an offline defrag Tips for Windows domain controller optimization Adding a standalone printer to Active Directory with Windows Vista How to index standalone printers in Active Directory Can Active Directory benefit from 64-bit technology? Configuring a virtual test lab on a budget Active Directory Tutorial Active Directory Changes Guide SID filtering, usage scenarios and configuration for Active Directory Fixing your AD design with GPO Loopback processing Active Directory Administration Active Directory database basics: Performing an offline defrag Tips for Windows domain controller optimization Unwinding USN rollback when faced with AD replication failure Solving Active Directory replication failure How to index standalone printers in Active Directory Can Active Directory benefit from 64-bit technology? Troubleshooting account lockouts in Group Policy Unlocking Group Policy account lockout secrets ReplMon still tops for troubleshooting Active Directory replication Configuring a virtual test lab on a budget RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.