Managing Trusts | Windows Server 2003 for Dummies

In Windows NT 4.0, trust management was a big problem in a large enterprise. In Windows Server 2003, however, trust management is simple because all trusts are set up by default between all domains in a forest and these trusts are two-way transitive trust relationships.

Two-way transitive trusts are created automatically between all domains in a forest when you run DCPROMO. You can, however, still create the old-style Windows NT 4 trusts for any domains that are not part of the same enterprise forest.

Establishing trusts

Old-style trusts are created using Active Directory Domains and Trusts, which is accessed by choosing Start Administrative Tool Active Directory Domains and Trusts. right-click the domain of choice in the Active Directory Domains and Trusts interface and then choose Properties. Click and Trusts tab (see Figure 12-8) to create one-way trusts. ( One-way external trusts are not transitive in nature and work the same as the old Windows NT 4.0 trusts.) You can delete a trust by selecting the trust and choosing Remove.

Figure 12-8: This is where you create one-way trusts between domains.

If you open the door to trusts, who gets to come through?

In a forest, when you open the trust door (which happens automatically between all domains in the same forest), anyone gets to come in. All trusts are transitive, so anyone in any domain in the forest can be granted permission to any resource.

For old-style trust relationships (which are created manually between domains in different forests or in a Windows NT domain), the trust is not transitive. Only users in the two domains for which the trust is defined can be assigned access to resources and only in the direction of the trust.

There's no need to panic, though, because users can't access resources without permission. Therefore, although they can be given access, they won't be able to gain access until specifically given permission to do so.