Active Directory Forest Trust

Active Directory Forest Trust

  If you’ve been working with Active Directory for a while, you’d probably know most of the features that this technology supports. Large companies that span over multiple geographical areas implement domains and forests across their entire network for a centralized and manageable infrastructure. If your forests are part of the same network and you want to enable cross communication between them, you’ll need to establish forest trusts. This feature was introduced with Windows Server 2003 and offers several trust mechanisms. You can configure one-way incoming, one-way outgoing and two-way trusts. I will try to cover them in this article so that you will be able to choose the right option for your network. But why you should opt for forest trusts instead of incorporating multiple domains and forests under the same AD infrastructure? One possibility may be that you want to have separate Active Directory infrastructures so you can manage your forests individually. Another aspect may be that your forests use different domain and forest functional levels and you cannot combine them or that your company acquired a new office recently and they were using different AD organization and you don’t want to mix them.


   Note that you can create trusts at the domain or forest level. There are multiple trusts types that you can establish between forests and they include:
Shortcut trust – when you create a shortcut trust between two forests, any domain from one forest will trust any domain from the second one. You would choose this type of trust if resources from different domains must be accessed frequently. This trust may be implemented to improve logon times between two domains. Also note that response time may decrease if each forest includes several layers of child domains. The direction of trust can be one-way or two-way
External trust – you can implement this when you want to create a trust between a domain that’s part of your forest and another external domain that’s not part of any forest. “External trusts are sometimes necessary when users need access to resources located in a Windows NT 4.0 domain or in a domain located within a separate forest that is not joined by a forest trust”. External trust direction can be one-way or two-way.
Forest trust – it’s used to allow shared resources between multiple forests. The direction of forest trust can be either one-way or two-way so this really depends on the necessities of your network. “Forest trusts are useful for Application Service Providers, companies undergoing mergers or acquisitions, collaborative business extranets, and companies seeking a solution for administrative autonomy.”
Realm trust – this type of trust is established between Windows forests and UNIX/Linux based systems. You’d need to use Kerberos V5 authentication to establish a ream trust between your Linux and Windows infrastructures. Realm trusts can be either one-way or two-way.
Trust direction 
To every trust created between multiple domains or forests, there is a trust direction assigned. The direction points out the path used to authenticate machines that are part of a trust relationship. A trust relationship is based on two entities: the trusted domain and the trusting domain. When a resource is accessed from the trusted domain in the direction of the trusting domain, the security systems on the local Domain Controllers will verify if there is a trust relationship between these two domains. To be able to access a specified resource, there must be a trust direction set from the trusting DCs to the trusted DCs. The following picture displays a trust relationship between two domains:
Trust Relationship
“One-way trust – A one-way trust is a unidirectional authentication path created between two domains. This means that in a one-way trust between Domain A and Domain B, users in Domain A (trusted domain) can access resources in Domain B (trusting domain). However, users in Domain B cannot access resources in Domain A. Some one-way trusts can be a nontransitive trust or a transitive trust depending on the type of trust being created. For more information about trust types, see Trust types.
Two-way trust – All domain trusts in a Windows Server 2003 forest are two-way, transitive trusts. When a new child domain is created, a two-way, transitive trust is automatically created between the new child domain and the parent domain. In a two-way trust, both domains that are involved in a trust relationship trust each other. This means that authentication requests can be passed between the two domains in both directions. Some two-way relationships can be nontransitive or transitive depending on the type of trust being created. For more information, see Trust types.” (from here):
When discussing about Forest Trust we must also talk about trust transitivity. The term refers to the capability of extending an existing trust between two domains to other external entities. A transitive trust is used to extend the trust to other domains while a nontransitive trust is used to deny a trust relationship to external domains. Read more about trust transitivity here.
Hope you’ve read and enjoyed this article, if you think there are things left unclear on this topic, post a comment and I will try to respond as soon as possible. Wish you all the best and stay tuned for the following articles.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s