Understanding Trust Relationships
The trust relationship is a logical relationship between two domains or forests. In a Trust relationship, one of the two domains is the trusting domain and the other is the trusted domain. The trusting domain trusts the trusted domain and allows access to its resources to the trusted domain after authenticating the logon requests of the trusted domain.
All the child domains that you add to a forest automatically trust each other and inherit the DNS domain name of their parent domain. However the new domain trees will have a distinguished namespace.
The trust relationships can be created automatically or created manually. Windows Server 2008 supports bidirectional and transitive trust relationships. The transitive trust relationship means that if there are three domains called A, B and C. The domain A trusts domain B and domain B trusts domain C then if there is a transitive trust relationship then domain A will trust domain C else, if there is intransitive relationship then domain A will not trust domain C. The bidirectional trust relationship means that if domain A trusts domain B then domain B will also trust domain A.
Windows Server 2003 uses Kerberos protocol by default for trust domains to authenticate applications and users. It also supports the use of NTLM protocol. Windows Server 2008 however supports Kerberos v5 protocol by default.
Four explicit trust (manual) relationships are supported by Windows Server 2008. These trust relationship types are:
- External Trust: This relationship is created when relationship need to be created between two domains that belong to different forests. It can be one-way or twoway nontransitive trust relationship created explicitly. It provides backward compatibility with Windows NT environment.
- Shortcut Trust: This relationship is created to optimize authentication process and logon times. It is also called cross-link trust and is usually created to shorten the trust path between two distant domains. It can be one-way or two-way transitive trust relationship explicitly created between two domains that belong to different domain trees in the same Windows server 2008 forest.
- Realm Trust: This relationship is created when you need interoperability between Windows Server 2008 domain and any realm that uses Kerberos version 5 implementations. It allows you to create trust between a Windows Server 2008 domain and a non-Windows domain such as a UNIX realm (domain).
- Forest Trust: This relationship is created to use resources between two forests root domains. It can be one way or two-way and provides a transitive trust relationship between all the domains of both the forests. For example if there are two forests A and B then all the domains of forest A will trust all the domains of forest B and all the domains of forest B will trust all the domains of forest A.