Creating inter-domain trusts is a rather simple operation if one understands the trusts mechanism used in Active Directory. The Active Directory Domains and Trusts snap-in is used for all work with any trusts in Active Directory domains. You can easily select domains in the snap-in's tree window and look up existing trusts. However, to verify, create, or remove trusts, you must provide the credentials of a user that has privileges to modify trusts.
Let us discuss various trust types by using a sample domain structure shown in Fig. 5.10.
Fig. 5.10: A sample domain structure that illustrates various trust types
These are the domains and trusts shown in Fig. 5.10:
net.dom — the forest root domain that has a Child relationship with its child domain.
subdom.net.dom — a child domain that has a Parent relationship with the root domain.
net2.dom — a tree root domain that is connected with the Tree Root relationships with the forest root domain.
All of the above-mentioned trusts have been created automatically; they are transitive and two-way. You can, for example, logon to the subdom.net.dom domain (i.e., you can specify a user account located in that domain) on a computer that belongs to the net2.dom domain. To speed up the authentication process, you may want to create an explicit one-way or two-way trust between these domains:
The subdom.net.dom and net2.dom domains are also connected with a trust marked as Shortcut (shown only for the net2.dom domain).
You are also able to establish trust relationships (one- or two-way) with other Active Directory forests or Windows 4.0-based domains:
w2000.dom — the root domain of a foreign Windows 2000-based forest.
NT4DOM — an independent Windows 4.0-based domain. The relationships with such domains, as well as with other Active Directory forests, are marked as External.
In addition, Windows .NET-based forests that operate at the Windows .NET (version 2002) functional level can be linked with the Forest transitive relationships:
dotnet.dom — a forest root domain that has two-way forest trusts with the net.dom forest
Figs. 5.11 and 5.12 illustrate all listed trust types as they are represented in the Active Directory Domains and Trusts snap-in.
Fig. 5.11: Various types of trusts existing in Active Directory forests
Fig. 5.12: The shortcut trust between two domains within the same forest
Keep in mind that any trusts are always possible between Windows NT 4.0, Windows 2000, and Windows .NET domains, regardless of the mode in which the Active Directory domains are working.
Only shortcut, external, or forest trusts can be removed. You cannot delete "default" (Parent-Child and Tree Root) trusts by using the Active Directory Domains and Trusts snap-in or other tools. This can only be done by removing the appropriate domain or tree.
The state of all existing trusts can be verified. Select the desired trust on the Trusts tab (see Fig. 5.11); click Properties, and then Validate. Normally, you will get the message: "The trust has been verified. It is in place and active". You may be asked for additional credentials in another domain (e.g., if you test the "parent-child" trust from a child domain, you will be asked for credentials in the parent domain).
Basically, the trust creation process is the same on all platforms: for a one-way trust, you should first create an outgoing trust in the trusting domain, and then create the corresponding ingoing trust in the trusted domain. For a two-way trust, this process should be executed twice: it is necessary to create both outgoing and ingoing trusts in each domain. For the sake of simplicity, we will discuss trust creation in a Windows .NET domain only.
For a Windows .NET domain, the trust creation process is simplified, since the wizard allows you to create any trusts in both domains simultaneously (in that case, you must specify the appropriate credentials in both trusting and trusted domains).
To discuss the trust creation in detail, let us use a sample domain structure shown in Fig. 5.10. In this structure, you may create a shortcut to speed up the access from the net2.dom to the resources located in the subdom.net.dom domain. The subdom.net.dom domain (the trusting domain) will then trust the net2.dom (the trusted domain).
Within a forest, users can log on to any forest domain on computers that can belong to any domain in the same forest. This is possible due to transitive Kerberos trusts existing within the entire forest. However, before a shortcut trust is created, there is no direct trust between the net2.dom and subdom.net.dom domains, and the authentication process should run over all domains that have direct trusts and connect these two domains. A shortcut trust can speed up this process.
All direct trusts can be verified with the NLtest command. Initially, this command fails on a DC in the subdom.net.dom domain (because there is no direct connection between the current and specified domains, and there are no trusted servers in the net2.dom domain):
C:\>nltest /sc_query:net2.dom I_NetLogonControl failed: Status = 1355 Ox54b ERROR_NO_SUCH_DOMAIN
To create a shortcut trust:
Open the Active Directory Domains and Trusts snap-in, select the trusted domain (net2.dom), and open the Properties window.
Click New Trust. The New Trust Wizard will help you to do all preliminary work to create trusts of any type. Click Next.
Enter the name of the trusting (or target) domain (subdom.net.dom) and click Next.
On the next wizard page (Fig. 5.13), you should select the trust direction. By default, the wizard suggests that you create a two-way trust (therefore, the domain selected earlier will be both a trusting and trusted domain). However, in our case, it is necessary to choose the second option — One way: incoming. Then click Next.
Fig. 5.13: Selecting the direction of the trust
The next wizard page (Fig. 5.14) will appear on Windows .NET-based DCs only. If the target domain is based on domain controllers running Windows 2000 or Windows .NET, you can create the trust in both domains at the same time. You should only provide the appropriate credentials for the target domain.
Fig. 5.14: You can create a trust in either the local domain only or both domains at the same time
If the other "half" of a trust is a Windows NT 4.0 domain, you can create it in the local domain only; the other side of the trust must be created on a DC in the trusting domain by an administrator or a user that has trust creation privileges in that domain. (Windows NT 4.0 does not support system calls necessary for the "remote" trust creation.)
If you leave the default option, the wizard will ask you for the trust password on the next step. This password is an arbitrary character sequence, which you must reproduce when the other side of the trust is created on the target domain.
In our case, we can select the lower option and go further.
On the next wizard page, you need to enter the credentials of a user with appropriate privileges in the trusting (target) domain and click Next.
All selections are complete now. Click Next.
If the selections have been made properly, you will see the "Trust Creation Complete" wizard page. Click Next.
On the next wizard pages, you may confirm the creation of outgoing and incoming trusts. This is only necessary if you have selected the trust creation in both domains. Otherwise, the trust must be created first in the trusting (target) domain. Skip the confirmation steps if the other side(s) of the trust has not been created yet.
On the last wizard page — "Completing the New Trust Wizard", you will see the report on operations performed. Close the wizard by clicking Finish.
That is all. A one-way transitive trust has been created. (The trusts with foreign forests or domains will not be transitive!) You can check it by using the NLtest command. After the trust has been created, you should see:
C:\>nltest /sc_query:net2.dom Flags: 30 HAS_IP HAS_TIMESERV Trusted DC Name \\netdc4.net2.dom Trusted DC Connection Status Status = 0 0x0 NERR_Success The command completed successfully
This means that the displayed DC in the trusting domain will authenticate the requests from DCs in the net2.dom domain.
You may also establish a two-way trust, in which both domains will trust each other. To create the trust in the reverse direction, repeat the procedure described above, but this time start from the other domain in the pair (in our example it would be the subdom.net.dom domain). It does not matter from which domain — trusted or trusting — one begins to create a trust. The main thing to remember is that every trust has to be created on both sides of a domain pair, and you must use the same trust password.
To delete a trust in a Windows .NET domain:
Select a trust on the Trusts tab and click Remove.
Select the necessary option in the pop-up window (Fig. 5.15) and click OK.
Fig. 5.15: You can delete a trust from either local domain only or from both domains at the same time
Confirm the deletion.
If you have deleted the trust in the local domain only, do not forget to delete it from the other domain, too.
If the trusting domain in the example discussed in the previous section were a Windows NT 4.0-based domain (named, let us say, NT4DOM), the necessary steps would look like this:
Start the User Manager for Domains, and select the Policies | Trust Relationships command.
Click Add (to the right of the Trusted domains panel).
Enter the NetBIOS (pre-Windows 2000) name of the trusted domain (NET2) and the trust password entered in Step 5 (see above). Click OK.
Normally, you will get the message: "Trusted Relationship with ('NET2' for our example) successfully established".
You must establish two-way trusts between domains for migrating from a Windows NT 4.0/2000/.NET domain to an Active Directory domain (which must be in the native mode or higher) by using the Active Directory Migration Tool (ADMT), ClonePrincipal, or similar (third-party) tools.
The forest trusts are always transitive and can have a one-way as well as two-way direction. Remember that the forest functional levels of both forests must be raised to Windows .NET (version 2002)! If this condition has not been met, you may create a usual external trust only. Make sure that domain controllers of each forest can resolve the DNS name of another forest.
To create a forest trust:
Open the Active Directory Domains and Trusts snap-in on any DC in the forest root domain of either forest that participates in the forest trust. (The forest root domain is preferred, because you should run this snap-in with the administrative privileges in that domain.)
Open the Trusts tab in the Properties window of the forest root domain (net.dom in our example) and click New Trust.
On the "Trust Name" wizard page, enter the DNS name of another forest's root domain (dotnet.dom). (If you select any other domain names, the page shown in Fig. 5.16, will never appear!)
Fig. 5.16: This page allows you to create a transitive forest trust
If you leave the default option on the "Trust Type" wizard page (Fig. 5.16), you will be able to create a usual external trust only. Therefore, select the lower option (Forest trust) and click Next.
On the next page (see an example in Fig. 5.13), select the direction of the trust and click Next.
Then, select the sides of the trust (see Fig. 5.14). Click Next. Enter credentials of a user with appropriate privileges, if necessary.
A very important selection should be made on the next wizard page (Fig. 5.17). (The good news is that it is possible to change this selection at any moment in the future.) By default, all users from the target forest will be able to access those shared resources in the local forest that are available for the Everyone group. Otherwise, you should grant the permissions manually.
Fig. 5.17: On this page, you will select the authentication scope for users from the target forest
If the created trust is two-way, a similar page will appear for the target forest, too. For an already created forest trust, you can open its Properties window and manage the authentication scope on the Authentication tab.
On the consequent wizard pages, confirm the trust creation if necessary.
Then, you can confirm the name suffix routing parameters offered by the system; in the future, you can change them (if necessary) on the Name Suffix Routing tab in the trust's Properties window.
Close the wizard by clicking Finish.
Now, it is possible to grant permissions and privileges to any user within either forest. For example, if you want to select an applicable user account and will open the Locations window (Fig. 5.18), you will see any domains and forests that trust the current domain. However, an external forest w2000.dom connected with non-transitive trusts is shown as a usual domain, whereas the dotnet.dom forest is shown as a domain tree, which means that it is possible to choose accounts from the entire forest.
Fig. 5.18: This window displays all external forests
In Windows 2000, the corresponding buttons are named Edit (funny enough, you cannot edit anything in the appropriate window) and Verify.