As part of a series of introductory blogs, I’m kicking off with the basics behind Active Directory Trusts.
What is an Active Directory Trust?
In order to share resources between two domains, there must be a trust or trusts connecting the two domains.
It is important to note that trusts do not provide access they only create a pathway to the destination.
Think of trusts a bit like roads. If you need to get to a house and there is a road between you and the house, you can drive to the destination. If the house is locked you won’t be able get in unless you have the key.
The same applies with trusts: you need the path to the resource via a trust and permission to access the resource.
Trusts can be one-way or two-way.
If the trust is two-way, then the domain on either side can access the other side.
If the trust is one-way, the terminology used to describe the trust will usually be “Domain 1 trusts Domain 2.” This means that domain 1 is the trusting domain and domain 2 will be the trusted domain.
For a user in a certain domain to access a resource in another domain, the user needs to be in the trusted domain. E.g User 2 in Domain 2 (the trusted domain) can access resources in Domain 1
Example of a two way trust
Types of Trust
A transitive trust is when a trust can be extended outside of the two domains in which it was created. A domain connected via a transitive trust can access any other domain when there is a path of transitive trusts between that domain and the target domain.
A non-transitive trust is a trust that will not extend past the domains it was created with. If domain A was connected to domain B and domain B connected to domain C using non-transitive trusts the following would occur. Domain A and domain B would be able to access each other. Domain B could access domain C. Domain A, however, could not access domain C. Even though the domains are indirectly connected, since the trust is non-transitive the connection will stop once it gets to domain B. In order for domain A and domain C to communicate using non-transitive trust you would need to create another trust between domain A and domain C.
Parent child trust
When you create a child domain, a transitive trust will automatically be created between the parent and child domain that is transitive.
When you create a new tree in the forest, a tree trust will be created automatically between the root domain (the first domain created in the forest) and the new tree. Each new tree will have a tree trust created between that tree and the root domain. These trusts are transitive and essentially the same as the transitive trusts that link parent and child domains.
If you have two domains that communicate with each other on a regular basis you can create a shortcut trust. This is the same as a transitive trust but is manually created by an administrator to reduce the number of trusts a user needs to travel over to get from one domain to another.
A forest trust links two Active Directory forests together. These are created manually by an administrator and are transitive. They essentially work the same as the other trusts except they connect forests together. In order to create this trust, both forests must be at the Windows Server 2003 forest functional level or higher.
A realm trust is used to connect Active Directory with Kerberos V5 realm on a non-Windows system like Unix. In order to create a realm trust, the domain must be at the Windows Server 2003 functional level or higher. These can be transitive or non-transitive, one-way or two.
An external trust is an old one-way trust that is used to connect to systems like Windows NT4. To make them two-way, you can create one trust in each direction. They are non-transitive. They can also be used when it is not possible to create a forest trust, e.g., one or both forest functional levels are not high enough.
When creating a forest trust you have the option to use selective or forest-wide authentication. Certain resources on the network will be open to anyone. These include authenticating from a domain controller. If you use selective authentication you will need to specify which resources the users will have access to. This setting is generally used when creating a forest trust between your company and an external company.
User accounts have an area in them called Sid history. When a user account is migrated from one domain to another, Sid history contains the Sid from the old domain. Using Sid history means the user can access resources when permissions were defined using the old Sid. Windows Server 2003 and above will remove Sid history when travelling over a trust. This is done for security reasons and can be disabled.
Examples of Trusts
The most common type of trust you will come in contact with on a day to day bases is likely to be the parent-child trust.
The default behaviour as explained above is when a child domain is created a transitive trust will automatically be created.
This means user MR2 could access the resource Server MR1, as well as the resource Server MR3 located in the other child domain MR3.
Using the above example with the parent child setup, IF users from the two child domains were heavy users of each other’s resources, this is a scenario you could implement a shortcut trust.
By default each domain uses Kerberos to authenticate to the parent domain, and then down to requested domain. The request must be authenticated by Kerberos in each domain in a path, so when this path is wide, authentication can take a while.
Setting up a shortcut trust between the two child domains means the query takes a lot less time.
In the below example, and unlike the parent-child example above, although Domain MR1 Trusts MR2 and domain MR2 trusts MR3, users in MR1 cannot access resources in MR3 and vice versa.
In order for MR1 users to access resources in MR3, the relevant trust would need to be created
In the above example (if we take the trust between MR1 and MR3 as a one way trust, then users in MR1 can access resources in MR2 and MR3. Users in MR2 can access both resources in MR1 and MR3. However Users in MR3 can only access resources in MR2 due to the one way trust in place. Remember, if the trust is going from MR3 to MR1. MR1 is the “trusted” domain.
Configuring a trust
In order to create a new trust or view existing trusts, logon to a domain controller, and from there select active directory domains and trusts.
From the management console you can see the existing domains within your environment.
Right click > Properties on the required domain you wish to make a new trust for
Select the “Trusts” tab and from there you can view all the existing trusts in place, as well as why type of trust it is
If you wish to create a new trust select the “new trust” button and the new trust wizard will open
Follow the steps as per the wizard to create the new trust
Select the appropriate trust type
And the trust transitivity
Select the direction of the trust
Finally enter a password for the trust
Click next to complete the trust wizard.
In order to manage trusts (both creating and removing trusts), you must be a member of the Domain Admins group (in the forest root domain) or the Enterprise Admin’s group in Active Directory.