Trust Relationship
Topics Covered
Introduction to trust relationship
Types of Trust
Configuration of Trust
Creating Trust from command line
Questions on Trust
Trust Relationships
A trust is nothing but a relationship which allows one domain to access resources of other
domain. A trust relationship is a logical relationship established between domains to allow access
to each other resources. Without trust relation a domain cannot cross it boundary to access other
domain due to security measures. For a small network with single domain does not required
trust. If you have multiple domain and you want domains to access each other resources then
trust is required.
Trust relationship required atleast 2 domain. A trust can be one-way or two-way. In one-way
trust eg. DOMAIN_A can access DOMAIN_B resources and not vice-versa, whereas in twoway
trust both domains can access each other resource.
Trust relationship required 2 parties
1) Trusting Domain : A domain that allows other domain to access its resources.
2) Trusted Domain : A domain that access other domain resources.
One-way Trust
Two-way Trust
In one-way trust one domain act as trusting domain and other domain act as trusted domain. i.e.
DOMAIN_A (trusting domain) and DOMAIN_B (trusted domain).
In two-way trust both the domains are acting as trusting and trusted domain i.e DOMAIN_A
(trusting and trusted domain and DOMAIN_B (trusting and trusted domain).
Trust Protocols
Windows 2008 uses Kerberos and NTML as trust protocol. Windows Server 2008 authenticates
users and applications using either the Kerberos version 5 or NTLM protocol. The Kerberos
version 5 protocol is the default protocol for computers running Windows Server 2008. NTLM is
normally used for older version clients like Windows NT.
Trust type
In Windows 2008 trust we have multiple methods of configuration of trust. The method depends
your network topology and requirement. The following are different methods of trust relationships that
are supported by Windows Server 2008:
Implicit Trust
• It is a trust between two domains within same forest.
• It is automatically created when a domain joins a forest.
• It is always two-way trust
• It is called as transitive trust
• Tree-root trust is trust between two trees in same forest whereas Parent-child trust is trust
between two domains in same tree.
Explicit Trust
• It is a trust between Windows 2008 and Windows NT domain.
• It is created manually by administrator according to requirement
• It can be two-way or one-way depending on our requirement
• It is called as non-transitive trust
Realm Trust
• It is a trust between Windows 2008 Domain and non-Windows domain.
• It is created manually by administrator according to requirement
• It can be two-way or one-way depending on our requirement
• It is called as non-transitive trust
Shortcut Trust
• It is trust between two domains within same forest to improve user login time and
resource access.
• It is created manually by administrator according to requirement.
• It can be two-way or one-way depending on our requirement.
• It is called as transitive trust
Forest Trust
• It is a trust between two domains in different forest.
• It is created manually by administrator according to requirement..
• It can be one-way or two-way trust
• It is called as transitive
What is Transitive Trust ?
When a trust is created between multiple a domains the concept of transitive trust occurs. In a
setup of two domains transitive trust concept is not required. Now let see a scenario about it.
Suppose you have 3 domains i.e. BOM, DEL, MAD and you have created a one way trust
between all this three domains in following order
BOM trust DEL and DEL trust MAD therefore BOM also trust MAD
BOM = DEL = MAD therefore BOM = MAD (A=B=C therefore A=C)
This is the basic rule of Transitive Trust. In a Windows 2008 forest environment all trust a
transitive trust. A non-transitive trust is just opposite to it. Where BOM trust DEL and DEL trust
MAD therefore BOM does not trust MAD (A=B=C therefore A not= C).
Trust Configuration
Now let see how to configure a trust between two domains i.e. DOMAIN_A and DOMAIN_B.
In this scenario we will create a one-way trust where DOMAIN_A will be trusting domain and
DOMAIN_B will be trusted domain. This trust will be between two domains in different forest
i.e. we will create a forest trust.
Steps for creating trust in DOMAIN_A
1. Go to Start, Administrative Tools, and then click Active Directory Domains and Trusts.
2. Right-click the domain node for the domain for which you want to create a trust, and then
click Properties.
3. In the Properties dialog box, click the Trusts tab.
4. In the Trusts tab, click New Trust to launch the New Trust Wizard.
5. On the Welcome To The New Trust Wizard page, click Next.
6. On the Trust Name page, type the DNS name or NetBIOS name of the target domain
with which you want to establish a trust in the Name box, then click Next.
7. On the Direction Of Trust page screen, Select the direction of trust you want to create. In
our case we will now select outgoing trust. (An outgoing trust is created on trusting
domain where as incoming trust is created on trusted domain).
8. On the Side Of Page screen, select where to create the trust. If you select “Domain
Only” then the trust will be created only in local domain and you have to create a trust
manually on other domain. If you select “Both domain” then trust will be created in
local as well as target domain. In this case we will select “Domain only” option.
9. On the next screen type a password for the trust and then click Next to finish creation of
outgoing trust.
Steps for creating trust in DOMAIN_B
1. Go to Start, Administrative Tools, and then click Active Directory Domains and Trusts.
2. Right-click the domain node for the domain for which you want to create a trust, and then
click Properties.
3. In the Properties dialog box, click the Trusts tab.
4. In the Trusts tab, click New Trust to launch the New Trust Wizard.
5. On the Welcome To The New Trust Wizard page, click Next.
6. On the Trust Name page, type the DNS name or NetBIOS name of the target domain
with which you want to establish a trust in the Name box, then click Next.
7. On the Direction Of Trust page screen, Select the direction of trust you want to create. In
our case we will now select incoming trust. (An incoming trust is created on trusted
domain where as outgoing trust is created on trusting domain).
8. On the Side Of Page screen, select where to create the trust. If you select “Domain
Only” then the trust will be created only in local domain and you have to create a trust
manually on other domain. If you select “Both Domain” then trust will be created in
local as well as target domain. In this case we will select “Domain only” option.
9. On the next screen type a password for the trust and then click Next to finish creation of
outgoing trust.
Creating Realm Trust
A realm trust is a trust between a non–Windows Kerberos realm and a Windows Server 2003
domain. IT is a trust between Windows and Non-Windows Operating Systems. Now let see how
to configure a realm trust
1. Goto to start, Administrative Tools, and then click Active Directory Domains And Trusts.
2. Right-click the domain node for the domain for which you want to create a realm trust,
and then click Properties. In the Properties dialog box, click the Trusts tab.
3. In the Trusts tab, click New Trust. On the Welcome To The New Trust Wizard page,
click Next.
4. On the Trust Name page, type the DNS name of the target realm with which you want to
establish a trust in the Name box, and then click Next.
5. On the Trust Type page, select the Realm Trust option, and then click Next.
6. On the Transitivity Of Trust page, select transitive or non-transitive trust type.
7. Next select the direction of trust and then select the trust password.
8. Next, click finish to complete the creation of forest trust.
Creating Trusts Using the Command Line
Syntax :
netdom trust TrustingDomainName /d: TrustedDomainName [/ud:[Domain\]User]
[/pd:{Password|*}] [/uo: User] [/po:{Password|*}] [/verify] [/reset] [/passwordt:
NewRealmTrustPassword] [/add [/realm]] [/remove [/force]] [/twoway] [/kerberos]
[/transitive[:{YES|NO}]] [/verbose]
TrustingDomainName : Specifies the name of the trusting domain.
/d: TrustedDomainName : Specifies the name of the trusted domain. If the parameter is omitted,
then the domain that the cur-rent computer belongs to is used.
/add : creates a trust
/remove : removes the trust
/twoway : creates a two way trust
Example of creating trust using command line
Netdom trust visioninfo.com /d: visionindia.com /add /twoway /passwordt: vision123
In this example visioninfo.com is trusting domain and visionindia.com is trusted domain. The
trust password is vision123 and we have created a twoway trust.
No comments:
Post a Comment