Active Directory Domains and Trust

Spread the words

MMC: Active Directory Domains and Trusts is the Microsoft Management Console snap-in that is used to administer domain trusts, domain and forest functional levels, and user principal name (UPN) suffixes.


Active Directory Trusts

A trust is a relationship, which you establish between domains that makes it possible for users in the domain to be authenticated by the other domain.

All Active Directory trusts between domains within a forest are transitive, two-way trusts. Therefore, both domains in a trust relationship are trusted. This means that if Domain A trusts Domain B and Domain B trusts Domain C, then users from Domain C can access resources in Domain A.


Trusted domain objects (TDO) are objects that represent each trust relationship within a particular domain. Each time that a trust is established, a unique TDO is created and stored in its domain. Domain trust TDO stores attributes such as trust transitivity, type, and the reciprocal domain names. Forest trust TDO store additional attributes to identify all the trusted namespaces from its partner forest. These attributes include domain tree names, user principal name (UPN) suffixes, service principal name (SPN) suffixes, and security identifier (SID) namespaces.

Trust Types

External: Nontransitive. Could be one-way or two-way. External trusts provide access to resources that are located on a domain that is located in a separate forest that is not joined by a forest trust.

When to create an external trust:

External trusts are necessary when users need access to resources in a domain that is located in a separate forest that is not joined by a forest trust.


When there is a trust between a domain in a forest and a domain outside that forest, security principals from the external domain can access resources in the internal domain. ADDS creates a foreign security principal object in the internal domain to represent each security principal from the trusted external domain. These foreign security principals can become members of domain local groups in the internal domain. Domain local groups can have members from domains outside the forest.

Realm: Transitive or nontransitive. Could be one-way or two-way. Use realm trusts to form a trust relationship between a non-Windows Kerberos realm and an Active Directory domain. This trust relationship allows cross-platform interoperability with security services that are based on other versions of the Kerberos V5 protocol, for example, UNIX and MIT implementations.

Forest: Transitive. Could be one-way or two-way. Use forest trusts to share resources between forests. If a forest trust is a two-way trust, authentication requests that are made in either forest can reach other forest.

When to create a forest trust:

You can create a forest trust between forest root domains if the forest functional level is Windows server 2003 or higher. A forest trust provides a one-way or two-way, transitive trust relationship between every domain in each forest.

Shortcut: transitive. Could be one-way or two way. Use shortcut trusts to improve user logon times between two domains within an Active Directory forest. This is useful when two domains are separated by two domain trees.

When to create a shortcut trust:

Shortcut trusts are one-way or two-way, transitive trusts that administrators can use to optimize the authentication process. Authentication request must first travel a trust path between domain trees. In a complex forest this can take time, which you can reduce with shortcut trusts.


Trust Direction

The trust type and its assigned direction affect the trust path that is used for authentication. A trust path is a series of trust relationships that authentication requests must follow between domains. Before a user can access a resource in another domain, the security system on domain controllers must determine whether the trusting domain has a trust relationship with the trusted domain. To determine this, the security system computes the trust path between a domain controller in the trusting domain and a domain controller in the trusted domain.


One way trust: A one-way trust is a unidirectional authentication path that is created between two domains. This means that in a one way trust between Domain A and Domain B, users in Domain A can access resources in Domain B. However, users in Domain B cannot access resources in Domain A.

Two-way trust: All domains trusts in an Active Directory forest are two-way, transitive trusts. When a new child domain is created, a two way, transitive trust is automatically created between the new child domain and the parent domain. In a two-way trust, Domain A trusts Domain B and Domain B trusts Domain A. this means that authentication requests can be passed between the two domains in both directions.

Trust Transitivity

Transitivity determines whether a trust can be extended outside the two domains between which the trust was formed. You can use a transitive trust to extend trust relationships with other domains. You can use a nontransitive trust to deny trust relationship with other domains.

Transitive trust: each time that you create a new domain in a forest, a two-way, transitive trust is automatically created between the new domain and its parent domain. If child domains are added to the new domain, the trust path flows upward through the domain hierarchy, extending the initial trust path that is created between the new domain and its parent domain.

Authentication request follows these trust paths. Therefore, accounts from any domain in the forest can be authenticated at any other domain in the forest. With a single logon process, accounts with the proper permissions can access resources in any domain in the forest.


Nontransitive trust:  A nontransitive trust is restricted by the two domains in the trust relationship. It does not flow to any other domains in the forest. Nontransitive trusts are one-way by default.

Be the first to comment on "Active Directory Domains and Trust"

Leave a comment

Your email address will not be published.