TRUST

Trusts are the mechanism that ensures that a user who is authenticated in his home domain can access
resources in any trusted domain. In Windows Server 2003, there are two categories of trusts.
Transitive trusts and non-transitive trusts.
Transitive and Non-Transitive Trust
Transitive trust is one in which the trust relationship extended to one domain is automatically
extended to all other domains that trust that domain. For example, domain C directly trusts domain D.
Domain D directly trusts domain E. Because both trusts are transitive, domain C indirectly trusts
domain E. Transitive trusts are automatic. An example of transitive trust is a parent/child trust.
Non-transitive trusts are not automatic and must be setup explicitly. An
example of a non-transitive trust is an external trust.

How Trusts Work Within a Forest?

Trusts allow users from one domain access to resources in another domain. Trust relationships can be
transitive or non-transitive. When a user attempts to gain access to a resource in another domain, the
Kerberos V5 protocol must determine whether the trusting domain, which is the
domain containing the resource to which the user is trying to gain access, has a trust relationship with
the trusted domain, which is the domain to which the user is logging on. To determine this
relationship, the Kerberos V5 security protocol travels the trust path between the domain controller in
the trusting domain to the domain controller in the trusted domain. When a user in the trusted domain
attempts to gain access to a resource in another domain, the user.s computer first contacts the domain
controller in its domain to get authentication to the resource. If the resource is not in the user.s domain,
the domain controller uses the trust relationship with its parent and refers the user.s computer to a
domain controller in its parent domain. This attempt for locating a resource continues up the trust
hierarchy, possibly to the forest root domain, and down the trust hierarchy until contacting a domain
controller in the domain where the resource is located.
How Trusts Work Across Forests ?
Windows Server 2003 supports cross-forest trusts, so that users in one forest can access resources in
another forest. When a user attempts to access a resource in a trusted forest, the resource must first be
located. Once the resource is located, the user can be authenticated and allowed to access the resource.
Understanding how this process works will help you troubleshoot problems that may arise with crossforest trusts.
1. The following is a description of how a resource in another forest is located A user logged on to the
domain vancouver.nwtraders.msft attempts to access a shared resource such as a shared folder located
in the Contoso.msft forest. The computer the user is working on contacts the Key Distribution Center
(KDC) on a domain controller in its domain vancouver.nwtraders.msft and requests a service ticket by
using the SPN of the computer on which the resource is available. An SPN can be one of the
following: the DNS name of a host, the DNS name of a domain, or the
Distinguished name of a service connection point object.
2. Because the resource is not located in vancouver.nwtraders.msft, the domain controller for
vancouver.nwtraders.msft queries the global catalog to see if the resource is located in any of the other
domains in the forest.
3. Because a global catalog is limited to its own forest, the SPN is not found. The global catalog then
checks its database for information about any forest trusts that are established with its forest, and, if
found, it compares the name suffixes listed in the forest trust TDO to the suffix of the target SPN to
find a match. Once a match is found, the global catalog provides routing information about how to
locate the resource to the domain controller in the Vancouver domain.

1. The domain controller Vancouver sends a referral for its parent domain nwtraders.msft to the
users computer.
2. The user.s computer contacts a domain controller in nwtraders.msft for a referral to a domain
controller in the forest root domain of the Contoso.msft forest.
3. Using the referral returned by the domain controller in the nwtraders.msft domain, the user.s
computer contacts a domain controller in the Contoso.msft forest for a service ticket to the
requested service.
4. Because the resource is not located in the forest root domain of the Contoso.msft forest, the
domain controller contacts its global catalog to find the SPN. The global catalog finds a
match for the SPN and sends it back to the domain controllers
5. The domain controller sends the referral to seattle.contoso.msft to the user omputer.
6. The user.s computer contacts the KDC on the domain controller Seattle and negotiates a ticket
for the user to gain access to the resource in the domain seattle.contoso.msft.
7. The user.s computer sends the server service ticket to the computer on which the shared
resource is located, which reads the user.s security credentials and constructs an access token,
which gives the user access to the resource.

How to Create Trusts?

You can use Active Directory Domains and Trusts to set up trust relationships between forests or
between domains in the same forest. You can also use it to set up shortcut trusts. Before you create a
forest trust, you must create a secondary lookup zone on the DNS server in each forest that points to
the DNS server in the other forest. This ensures that the domain controller in the forest from where
you are creating the forest trust can locate a domain controller in the other forest and complete the
setup of the trust relationship.
To create a trust, perform the following steps:
1. Open Active Directory Domains and Trusts.
2. In the console tree, perform one of the following steps: If you are creating a forest trust, rightclick the domain node for the forest root domain, and then click Properties. If you are
creating a shortcut trust, right-click the domain node for the domain that you want to establish
a shortcut trust with, and then click Properties. If you are creating an external trust, rightclick the domain node for the domain that you want to establish a trust with, and then click
Properties. If you are creating a realm trust, right-click the domain node for the domain you
want to administer, and then click Properties.
3. On the Trust tab, click New Trust, and then click next.
4. The New Trust Wizard is started.
5. On the Welcome page click next.
6. On the Trust Name page, perform one of the following steps:-If you are creating a forest
trust, type the DNS name of the second forest, and then click next. If you are creating a
shortcut trust, type the DNS name of the domain, type and confirm the trust password, and
then click Next. If you are creating an external trust, type the DNS name of the domain, and
then click Next. If you are creating a realm trust, type the realm name for the target realm,
and then click next.
7. On the Trust Type page, perform one of the following steps: If you are creating a forest
trust, click Forest trust, and then click Next. If you are creating a shortcut trust, skip to step
8. If you are creating an external trust, click External trust, and then click next. If you
are creating a realm trust, select the Realm trust option, and then click Next. On The
Transitivity of Trust page, do one of the following: To form a trust relationship with the
domain and the specified realm, click No transitive, and then click Next. To form a trust
relationship with the domain and the specified realm and all trusted realms, click Transitive,
and then click next.

8. On the Direction of Trust page, perform one of the following steps: to create a two-way
trust, click Two-way, and then follow the wizard instructions. To create a one-way
incoming trust, click One-way: incoming, and then follow the wizard instructions. To
create a one-way outgoing trust, click One-way: outgoing, and then follow the wizard
instructions.