Active Directory Trusts


What is an Active Directory Trust?

In order to share resources between two domains, there must be a trust or trusts connecting the two domains.

It is important to note that trusts do not provide access they only create a pathway to the destination.

Think of trusts a bit like roads. If you need to get to a house and there is a road between you and the house, you can drive to the destination. If the house is locked you won’t be able get in unless you have the key.

The same applies with trusts: you need the path to the resource via a trust and permission to access the resource.

 

Trust Direction

Trusts can be one-way or two-way.

If the trust is two-way, then the domain on either side can access the other side.

If the trust is one-way, the terminology used to describe the trust will usually be “Domain 1 trusts Domain 2.” This means that domain 1 is the trusting domain and domain 2 will be the trusted domain.

For a user in a certain domain to access a resource in another domain, the user needs to be in the trusted domain. E.g User 2 in Domain 2 (the trusted domain) can access resources in Domain 1

Example of a one way trustonewaytrust

Example of a two way trust

twowaytrust

 

Types of Trust

Transitive trusts
A transitive trust is when a trust can be extended outside of the two domains in which it was created. A domain connected via a transitive trust can access any other domain when there is a path of transitive trusts between that domain and the target domain.

 

Non-transitive trust
A non-transitive trust is a trust that will not extend past the domains it was created with. If domain A was connected to domain B and domain B connected to domain C using non-transitive trusts the following would occur. Domain A and domain B would be able to access each other. Domain B could access domain C. Domain A, however, could not access domain C. Even though the domains are indirectly connected, since the trust is non-transitive the connection will stop once it gets to domain B. In order for domain A and domain C to communicate using non-transitive trust you would need to create another trust between domain A and domain C.

 

Parent child trust
When you create a child domain, a transitive trust will automatically be created between the parent and child domain that is transitive.

 

Tree trust
When you create a new tree in the forest, a tree trust will be created automatically between the root domain (the first domain created in the forest) and the new tree. Each new tree will have a tree trust created between that tree and the root domain. These trusts are transitive and essentially the same as the transitive trusts that link parent and child domains.

 

Shortcut trusts
If you have two domains that communicate with each other on a regular basis you can create a shortcut trust. This is the same as a transitive trust but is manually created by an administrator to reduce the number of trusts a user needs to travel over to get from one domain to another.

 

Forest trust
A forest trust links two Active Directory forests together. These are created manually by an administrator and are transitive. They essentially work the same as the other trusts except they connect forests together. In order to create this trust, both forests must be at the Windows Server 2003 forest functional level or higher.

 

Realm Trust
A realm trust is used to connect Active Directory with Kerberos V5 realm on a non-Windows system like Unix. In order to create a realm trust, the domain must be at the Windows Server 2003 functional level or higher. These can be transitive or non-transitive, one-way or two.

 

External Trust
An external trust is an old one-way trust that is used to connect to systems like Windows NT4. To make them two-way, you can create one trust in each direction. They are non-transitive. They can also be used when it is not possible to create a forest trust, e.g., one or both forest functional levels are not high enough.

 

Selective authentication
When creating a forest trust you have the option to use selective or forest-wide authentication. Certain resources on the network will be open to anyone. These include authenticating from a domain controller. If you use selective authentication you will need to specify which resources the users will have access to. This setting is generally used when creating a forest trust between your company and an external company.

 

Sid Filtering
User accounts have an area in them called Sid history. When a user account is migrated from one domain to another, Sid history contains the Sid from the old domain. Using Sid history means the user can access resources when permissions were defined using the old Sid. Windows Server 2003 and above will remove Sid history when travelling over a trust. This is done for security reasons and can be disabled.

 

Examples of Trusts

The most common type of trust you will come in contact with on a day to day bases is likely to be the parent-child trust.

parentchildtrust

The default behaviour as explained above is when a child domain is created a transitive trust will automatically be created.

This means user MR2 could access the resource Server MR1, as well as the resource Server MR3 located in the other child domain MR3.

 

Shortcut trusts
Using the above example with the parent child setup, IF users from the two child domains were heavy users of each other’s resources, this is a scenario you could implement a shortcut trust.

By default each domain uses Kerberos to authenticate to the parent domain, and then down to requested domain. The request must be authenticated by Kerberos in each domain in a path, so when this path is wide, authentication can take a while.

Setting up a shortcut trust between the two child domains means the query takes a lot less time.

shortcuttrust

 

Non-transitive trust

In the below example, and unlike the parent-child example above, although Domain MR1 Trusts MR2 and domain MR2 trusts MR3, users in MR1 cannot access resources in MR3 and vice versa.

nontransitivetrust

 

In order for MR1 users to access resources in MR3, the relevant trust would need to be created

nontransitivetrust2

In the above example (if we take the trust between MR1 and MR3 as a one way trust, then users in MR1 can access resources in MR2 and MR3. Users in MR2 can access both resources in MR1 and MR3. However Users in MR3 can only access resources in MR2 due to the one way trust in place. Remember, if the trust is going from MR3 to MR1. MR1 is the “trusted” domain.

nontransitivetrust3

Configuring a trust

In order to create a new trust or view existing trusts, logon to a domain controller, and from there select active directory domains and trusts.

addomainsandtrust

From the management console you can see the existing domains within your environment.

addomainsandtrust1

Right click > Properties on the required domain you wish to make a new trust for

addomainsandtrust2

Select the “Trusts” tab and from there you can view all the existing trusts in place, as well as why type of trust it is

addomainsandtrust3

If you wish to create a new trust select the “new trust” button and the new trust wizard will open

addomainsandtrust4

Follow the steps as per the wizard to create the new trust

addomainsandtrust5

Select the appropriate trust type

addomainsandtrust6

And the trust transitivity

addomainsandtrust7

Select the direction of the trust

addomainsandtrust8

Finally enter a password for the trust

addomainsandtrust9

Click next to complete the trust wizard.

addomainsandtrust10

 

Required Permissions

In order to manage trusts (both creating and removing trusts), you must be a member of the Domain Admins group (in the forest root domain) or the Enterprise Admin’s group in Active Directory.

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: