Trusts

Previous page
Table of content
Next page
   

The Windows Server 2003 family supports domain trusts and forest trusts. Domain trust allows a user to authenticate to resources in another domain. To establish and manage domain trust relationships, you must take into consideration trust direction.

Trust Direction

The trust type and its assigned direction will have a substantial impact on the trust path used for authentication. A trust path is a series of trust relationships that authentication requests must follow between domains.

Before a user can access a resource in another domain, the security system on domain controllers running Windows Server 2003 must determine whether the trusting domain (the domain containing the resource the user is trying to access) has a trust relationship with the trusted domain (the user's logon domain). To determine this, the security system computes the trust path between a domain controller in the trusting domain and a domain controller in the trusted domain. In Figure 5-5, trust paths are indicated by arrows showing the direction of the trust.

Figure 5-5. This diagram shows trust paths and the direction of each trust.

graphics/f05xo05.jpg

All domain trust relationships have only two domains in the relationship: the trusting domain and the trusted domain.

Trust Types

Communication between domains occurs through trusts. Trusts are authentication pipelines that must be present for users in one domain to access resources in another domain.

  • One-way trust.

    A one-way trust is a unidirectional authentication path created between two domains. This means that in a one-way trust between domain A and domain B, users in domain A can access resources in domain B. However, users in domain B cannot access resources in domain A. Some one-way relationships can be nontransitive or transitive depending on the type of trust being created:

    • A transitive trust flows throughout a set of domains, such as a domain tree, and forms a relationship between a domain and all domains that trust that domain. For example, if domain A trusts domain B and domain B trusts domain C, domain A trusts domain C. Transitive trusts can be one-way or two-way, and they are required for Kerberos-based authentication and Active Directory replication.

    • A nontransitive trust is restricted to two domains in a trust relationship. For example, even if domain A trusts domain B and domain B trusts domain C, there is no trust relationship between domain A and domain C. Nontransitive trusts can be one-way or two-way.

  • Two-way trust.

    All domain trusts in a Windows .NET forest are two-way transitive trusts. When a new child domain is created, a two-way transitive trust is automatically created between the new child domain and the parent domain. In a two-way trust, domain A trusts domain B and domain B trusts domain A. This means that authentication requests can be passed between the two domains in both directions. Some two-way relationships can be nontransitive or transitive depending on the type of trust being created.

Trust Relationships

A Windows .NET domain can establish a one-way or two-way trust with

  • Windows .NET domains in the same forest.

  • Windows .NET domains in a different forest.

  • Windows NT 4.0 domains.

  • Kerberos V5 realms.

Forest Trusts

In a Windows Server 2003 forest, administrators can create a forest trust to extend two-way transitivity beyond the scope of a single forest to a second Windows Server 2003 forest. In other words, with forest trusts you can link two disjoined Windows Server 2003 forests to form a two-way transitive trust relationship between every domain in both forests. Forest trusts provide the following benefits:

  • Simplified management of resources across two Windows Server 2003 forests. Forest trusts reduce the number of external trusts needed to share resources with a second forest.

  • Complete two-way trust relationships with every domain in each forest.

  • Wider scope of UPN authentications. User principal name authentications can be used across two forests.

  • Greater trustworthiness of authorization data. Both the Kerberos and NTLM authentication protocols can be used to help improve the trustworthiness of authorization data transferred between forests.

  • Flexibility of administration. Administrators can choose to split collaborative delegation efforts with other administrators into forestwide administrative units.

  • Isolation of directory replication within each forest. Schema changes, configuration changes, and the addition of new domains to a forest have forestwide impact only within that forest, not on a trusting forest.

Forest trusts can be created only between two forests and therefore will not be implicitly extended to a third forest. This means that if a forest trust is created between Forest1 and Forest2, and a forest trust is also created between Forest2 and Forest3, Forest1 will not have an implicit trust with Forest3.

Note

In Windows 2000, if users in one forest needed access to resources in a second forest, an administrator could create an external trust relationship between the two domains. External trusts are one-way and nontransitive and therefore limit the ability for trust paths to extend to other domains only when explicitly configured.


   
Top

Previous page
Table of content
Next page
Introducing Microsoft Windows Server 2003
Introducing Microsoft Windows Server(TM) 2003
ISBN: 0735615705
EAN: 2147483647
Year: 2005
Pages: 153
Authors: Jerry Honeycutt
BUY ON AMAZON
Metrics and Models in Software Quality Engineering (2nd Edition)
Lotus Notes and Domino 6 Development (2nd Edition)
Google Maps Hacks: Tips & Tools for Geographic Searching and Remixing
Quantitative Methods in Project Management
Microsoft Office Visio 2007 Step by Step (Step By Step (Microsoft))
Python Programming for the Absolute Beginner, 3rd Edition
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy