Active Directory Trusts

Active Directory domain to domain communications occur through a trust. An AD DS trust is a secured,
authentication communication channel between entities, such as AD DS domains, forests, and UNIX
realms. Trusts enable you to grant access to resources to users, groups and computers across entities.

The way a trust works is similar to allowing a trusted entity to access your own resources. It’s a two-step
process. The first step is to establish the trust. The second step is to provide permissions.

For example, if users in the Contoso.com domain require access to a shared folder in the Trimagna.com
domain, and the two domains are not in the same forest, you would establish the trust where
Trimagna.com trusts Contoso.com, therefore the direction of the arrow would be Trimagna.com points
to Contoso.com.

For an analogy, if you were to give your car keys to a friend to allow him or her to use your car, you are
establishing a trust between you and your friend. In this case, you are the trusting friend, or domain, and
the friend is the trusted friend, or domain. Once the keys have been provided, then the next step is to
allow access to your resource, or car, by providing permissions to use the car. However, this trust is only
in one direction, you trust your friend. If you want your friend to trust you, your friend, or the other
domain, must be initiated by your friend, or the other domain.
 Trust Type Characteristics Direction Authentication Notes
Mechanism
Parent-Child Transitive Two-way Kerberos V5 Created automatically when a child
or NTLM domain is added.
Tree-Root Transitive Two-way Kerberos V5 Created automatically when a new Tree
or NTLM is added to a forest.
Shortcut Transitive One-way Kerberos V5 Created Manually.
or or NTLM Used in an AD DS forest to shorten the
trust path to improve authentication
times.
Two-way    
Forest Transitive One-way Kerberos V5 Created Manually.
or or NTLM Used to share resources between AD
DS forests.
Two-way    
External Non-transitive One-way NTLM Only Created Manually.
Used to access resources in an NT 4.0
domain or a domain in another forest
that does not have a forest trust
established.
Realm Transitive or One-way Kerberos V5 Only Created Manually.
non-transitive or Used to access resources between a
non-Windows Kerberos V5 realm and
an AD DS domain.

Two-way  

Trust Flow: Transitive vs. Non-Transitive

Trust communication flow is determined by the direction of the trust. The trust can be a one-way or a
two-way trust.

The transitivity determines whether a trust can be extended beyond the two domains with which it was
formed.

 A transitive trust can be used to extend trust relationships with other domains.
 Non-transitive trust can be used to deny trust relationships with other domains. Authentication
requests follow a trust path. The transitivity of the trust will affect the trust path.

Trust direction (One-way or two)

Trusts can be one-way or two-way. If the trust is two-way, then the domain on either side can access the
other side. If the trust is one-way, the terminology used to describe the trust will usually be “Domain A
trusts domain B.” This means that domain A is the trusting domain and domain B will be the trusted
domain. For a user in a certain domain to access a resource in another domain, the user needs to be in
the trusted domain.

Another example:-

Transitive Trust

A transitive trust is when a trust can be extended outside of the two domains in which it was created. A
domain connected via a transitive trust can thus access any other domain when there is a path of
transitive trusts between that domain and the target domain.

 Contoso.com trusts Trimagna.com.

 Contoso.com trusts Adatum.com.
 Therefore, Trimagna.com trusts Adatum.com.

Non-transitive trust

A non-transitive trust is a trust that will not extend past the domains it was created with. If domain A
was connected to domain B and domain B connected to domain C using non-transitive trusts the
following would occur.

Domain A and domain B would be able to access each other. Domain B could access domain C. Domain
A, however, could not access domain C. Even though the domains are indirectly connected, since the
trust is non-transitive the connection will stop once it gets to domain B. In order for domain A and
domain C to communicate using non-transitive trust you would need to create another trust between
domain A and domain C. Think of it like having to catch two buses to get to your destination but only
having one bus ticket. Transitive and non-transitive trusts will work together. When using both, the
pathway through the network will simply stop as soon as a non-transitive trust is travelled over.

Automatic Trusts: and Tree-Root Trusts

By default, two-way, transitive trusts are created automatically when a child domain is added or when a
domain tree is added. The two default trust types are

 Parent-child trusts
 Tree-root trusts.

Parent-Child Trust

A transitive, two-way parent-child trust relationship automatically created and establishes a relationship
between a parent domain and a child domain whenever a new child domain is created using the AD DS
installation process process within a domain tree. They can only exist between two domains in the same
tree with the same contiguous namespace. The parent domain is always trusted by the child domain.
You cannot manually create a Parent-Child trust.
Tree-Root Trust

When you create a new tree in the forest, a tree trust will be created automatically between the root
domain (the first domain created in the forest) and the new tree. Each new tree will have a tree trust
created between that tree and the root domain. These trusts are transitive and essentially the same as
the transitive trusts that link parent and child domains.

A transitive, two-way tree-root trust relationship automatically created and establishes a relationship
between the forest root domain and a new tree, when you run the AD DS installation process to add a
new tree to the forest. A tree-root trust can only be established between the roots of two trees in the
same forest and are always transitive. You cannot manually create a tree-root trust.
Shortcut trusts

If you have two domains that communicate with each other on a regular basis you can create a
shortcut trust. This is the same as a transitive trust but is manually created by an administrator to
reduce the number of trusts a user needs to travel over to get from one domain to another.

One-way, transitive trusts. They can only exist within a forest. They are created to optimize the
authentication process shortening the trust path. The trust path is the series of domain trust
relationships that the authentication process must traverse between two domains in a forest that
are not directly trusted by each other. Shortcut trusts shorten the trust path.