GitHubFacebookLinkedin

🔃AD Domains Trust Relationship

Idea of Trust Relationship ?

What Are AD Trust Relationship

Active Directory (AD) trust relationships are mechanisms that enable users, computers, or services in one AD domain to access resources in another domain or forest within a Microsoft Windows environment. They establish a secure communication channel between domains or forests, allowing authentication and authorization across organizational boundaries.

Key Terms

  • Trusted Domain: The domain whose users or accounts are trusted to authenticate and access resources in another domain.

  • Trusting Domain: The domain that allows users from the trusted domain to access its resources.

  • Direction: Specifies the flow of trust, determining which domain trusts the other for authentication.

Types of Trusts

There are several types of trusts, including:

  1. One-Way Trust

Definition: A one-way trust is a unidirectional relationship where one domain (the trusting domain) allows users from another domain (the trusted domain) to authenticate and access its resources, but not vice versa.

Characteristics:

  • Direction: Unidirectional. The trusting domain grants access to its resources, but the trusted domain does not reciprocate.

  • Authentication: Users in the trusted domain can authenticate to resources in the trusting domain, provided they have appropriate permissions.

  • Scope: Can be established between domains in the same forest or different forests.

  • Transitivity: Can be transitive or non-transitive, depending on the trust type (forest trust vs. external trust).

  • Transitive Trust: A trust where, if Domain A trusts Domain B and Domain B trusts Domain C, then Domain A automatically trusts Domain C. The trust propagates through the chain of trusted domains.

Use Case:

  • A vendor (vendor.com) needs access to a specific file share in a client’s domain (client.com) for a project, but the client does not need access to the vendor’s resources.

  • A one-way trust from client.com to vendor.com allows vendor employees to authenticate and access the file share.

Example:

  • Company A (companyA.com) trusts Company B (companyB.com). Users in companyB.com can access resources in companyA.com, but users in companyA.com cannot access resources in companyB.com unless another trust is created.

  • Common in scenarios where a partner organization needs access to specific resources without reciprocal access.

  1. Two-Way Trust

Definition: A two-way trust is a bidirectional relationship where both domains trust each other, allowing users in either domain to authenticate and access resources in the other, assuming appropriate permissions.

Characteristics:

  • Direction: Bidirectional. Each domain is both a trusting and trusted domain for the other.

  • Authentication: Users in either domain can authenticate to resources in the other domain.

  • Scope: Common in parent-child trusts or tree-root trusts within a forest, but can also be external or forest trusts between different forests.

  • Transitivity: Can be transitive or non-transitive, depending on the trust type.

Example:

  • companyA.com and companyB.com establish a two-way trust. Employees in companyA.com can access resources in companyB.com, and vice versa, based on permissions.

  • Common in merged organizations or closely collaborating departments.

Use Case:

  • Two subsidiaries of a parent company (sales.contoso.com and marketing.contoso.com) need to share resources like file servers and databases. A two-way trust allows seamless access for users in both domains.

  1. Transitive Trust

Definition: A transitive trust extends beyond the directly trusted domains to include other domains in the same forest or tree, creating a chain of trust relationships.

Characteristics:

  • Transitivity: If Domain A trusts Domain B, and Domain B trusts Domain C, then Domain A trusts Domain C.

  • Direction: Can be one-way or two-way.

  • Scope: Typically applies to trusts within a forest (parent-child, tree-root) or forest trusts between forests.

  • Automatic Creation: Parent-child and tree-root trusts in a forest are transitive by default.

Example:

  • In a forest with domains contoso.com, sales.contoso.com, and marketing.contoso.com, a parent-child trust between contoso.com and sales.contoso.com, and another between contoso.com and marketing.contoso.com, makes sales.contoso.com and marketing.contoso.com trust each other transitively through the forest root (contoso.com).

Use Case:

  • A large organization with multiple child domains (europe.contoso.com, asia.contoso.com) uses transitive trusts to allow users in any domain to access resources in other domains within the same forest without creating additional trusts.

  1. Non-Transitive Trust

Definition: A non-transitive trust is limited to the two domains directly involved in the trust relationship and does not extend to other domains.

Characteristics:

  • Transitivity: Non-transitive. If Domain A trusts Domain B, and Domain B trusts Domain C, Domain A does not trust Domain C. A non-transitive trust does not propagate beyond the two domains directly involved. If Domain A trusts Domain B, and Domain B trusts Domain C, Domain A does not automatically trust Domain C.

  • Direction: Can be one-way or two-way.

  • Scope: Typically used for external trusts between domains in different forests or with non-AD domains (Windows NT 4.0 domains).

Example:

  • companyA.com (in Forest A) establishes a non-transitive external trust with partner.com (in Forest B). This trust allows companyA.com users to access resources in partner.com, but does not extend to other domains in Forest B, such as sales.partner.com.

Use Case:

  • A company (companyA.com) partners with an external organization (partner.com) and needs access to a specific application in partner.com. A non-transitive trust ensures that only partner.com is accessible, not other domains in its forest.

  1. Forest Trust

Definition: A forest trust is a transitive trust between the root domains of two AD forests, allowing resource sharing and authentication across all domains in both forests.

Characteristics:

  • Transitivity: Transitive, extending to all domains in both forests.

  • Direction: Can be one-way or two-way.

  • Scope: Connects entire forests, ideal for large-scale collaboration.

  • Requirements: Both forests must be at Windows Server 2003 forest functional level or higher. DNS resolution (conditional forwarders) is critical.

Example:

  • Forest A (contoso.com) and Forest B (fabrikam.com) establish a two-way forest trust. Users in any domain in contoso.com (sales.contoso.com) can access resources in any domain in fabrikam.com (marketing.fabrikam.com), and vice versa.

Use Case:

  • After a merger, two companies (contoso.com and fabrikam.com) create a forest trust to enable employees to access shared resources like email systems or file servers across both forests.

  1. Shortcut Trust

Definition: A shortcut trust is a manually created transitive trust between two domains in the same forest to optimize authentication performance by bypassing the default trust path through the forest root.

Characteristics:

  • Transitivity: Transitive within the forest.

  • Direction: Can be one-way or two-way.

  • Scope: Used within a single forest to improve authentication efficiency.

  • Purpose: Reduces latency in environments with deep domain hierarchies or frequent cross-domain access.

Example:

  • In a forest with contoso.com (root), sales.contoso.com, and marketing.contoso.com, authentication between sales.contoso.com and marketing.contoso.com normally traverses contoso.com. A shortcut trust directly between sales.contoso.com and marketing.contoso.com reduces the trust path.

Use Case:

  • Employees in sales.contoso.com frequently access a database in marketing.contoso.com. A shortcut trust minimizes authentication delays, improving user experience.

  1. Comparison of Trust Types

Trust Type

Transitivity

Direction

Scope

Common Use Case

One-Way Trust

Varies

Unidirectional

Same or different forests

Partner access to specific resources

Two-Way Trust

Varies

Bidirectional

Same or different forests

Mutual resource sharing between domains

Transitive Trust

Transitive

One-way or Two-way

Within or across forests

Resource access across multiple domains in a forest

Non-Transitive Trust

Non-transitive

One-way or Two-way

Between specific domains

Limited access to a single external domain

Forest Trust

Transitive

One-way or Two-way

Between forest roots

Collaboration across entire forests

Shortcut Trust

Transitive

One-way or Two-way

Within a forest

Optimize authentication in complex forests

Inbound and Outbount Trust RelationShip

Inbound Trust Relationship

  • Definition: An inbound trust means that the domain you are configuring (the trusting domain) allows users from another domain (the trusted domain) to authenticate and access its resources.

  • Direction: The trust "comes in" to your domain, meaning your domain trusts the other domain to authenticate its users.

  • Example: If Domain A has an inbound trust with Domain B, users from Domain B can access resources in Domain A. Domain A trusts Domain B's authentication.

  • Key Point: The trusting domain (Domain A) relies on the trusted domain (Domain B) to verify user identities.

Outbound Trust Relationship

  • Definition: An outbound trust means that the domain you are configuring (the trusted domain) allows its users to authenticate and access resources in another domain (the trusting domain).

  • Direction: The trust "goes out" from your domain, meaning your domain's users can access resources in the other domain.

  • Example: If Domain A has an outbound trust with Domain B, users in Domain A can access resources in Domain B, provided Domain B has a corresponding inbound trust.

  • Key Point: The trusted domain (Domain A) is responsible for authenticating its users, and the trusting domain (Domain B) grants access based on that authentication.

PreviousDelegation of ControlNextAD Partitions

Last updated