Trust Relationship

Last Edited

by

in

,

Definition of TRUST RELATIONSHIP in Network Encyclopedia.

What is Trust Relationship (in computer networking)?

Trust relationship is a secure communication channel between two domains in Microsoft Windows Server Operating Systems.

Trust relationships allow users in one domain to access resources in another domain. Trusts work by having one domain trust the authority of the other domain to authenticate its user accounts.

How It Works

In Windows NT, trusts are one-way – the trusting domain (or resource domain) trusts the trusted domain (or accounts domain). This means that global users in the trusted domain can be authenticated for accessing resources in the trusting domain. Global users from the trusted domain can log on to any computer in either domain and can access resources in either domain if they have the appropriate permissions.

If you want to establish a two-way trust between two domains, you must create two trusts, one in each direction. Administrators can set up trust relationships between domains by using the Policies menu in User Manager for Domains. The administrator on the accounts domain should permit the trust first, and then the administrator on the resource domain should complete the trust. Only global accounts (global users and global groups) can cross trusts.

Windows NT trusts are nontransitive. In other words, if domain A trusts domain B and domain B trusts domain C, it is not true that domain A trusts domain C.

By using trusts, you can join Windows NT domains into a variety of domain models, including the complete trust model, the master domain model, and the multiple master domain model. You can join domains to support 100,000 or more users for enterprise-level networks.

Windows NT trusts, which are based on the Windows NT Challenge/Response Authentication, are managed by the Windows NT Directory Services (NTDS).

Trust Relationship
Trust Relationship

In Windows 2000, trusts are always two-way. If domain A trusts domain B, users in either domain can access resources in the other domain if they have the appropriate permissions. Windows 2000 trusts are also transitive. In other words, if domain A trusts domain B and domain B trusts domain C, domain A also trusts domain C.

Windows 2000 trusts are much easier to manage than Windows NT trusts, primarily because there are far fewer trusts to manage. Windows 2000 domains are combined into hierarchical structures called domain trees. All users in a domain tree can access resources in any domain of the tree if they have suitable permissions. In Windows 2000, you can also use another type of trust called an explicit trust, which is a one-way trust similar to that implemented in Windows NT, to form a trust relationship between two domain forests.

Windows 2000 trusts are managed by Active Directory and are based on the Kerberos v5 security protocol.

TIP

If you are unable to establish a trust relationship between two domains, make sure that no sessions are open between the two primary domain controllers (PDCs) and that they are using common transport protocols.

Two-way transitive trust

Two-way transitive trust is a trust relationship between two domains in Microsoft Windows 2000. By default, a Windows 2000 trust is two-way, meaning that each domain trusts the authority of the other domain for authentication. A Windows 2000 trust is also transitive – if domain A trusts domain B and domain B trusts domain C, domain A trusts domain C. Windows 2000 two-way transitive trusts are based on the Kerberos v5 security protocol.

Because of the two-way transitive nature of Windows 2000 trusts, all domains in a domain tree implicitly trust each other. This means that resources of one domain are available to users in all other domains in the domain tree if they have suitable permissions.

Note

You can also create one-way nontransitive trusts for Windows 2000–based networks. These one-way trusts are similar to the trust relationships formed by Microsoft Windows NT domain controllers. A one-way trust between a domain and a domain tree provides users of the domain with access only to the domain in the tree to which it is joined.

One-way trusts can be useful when domains require a less permanent relationship – for example, when two companies take part in a joint venture. Only the resources needed by the other company are made available to the trusted domain; the entire domain tree is not exposed.

See also

Search