Managing Trust Relationships
This lesson introduces you to trust relationships and the tasks involved in the management of trusts. In Chapter 1, you learned that a trust relationship is a link between two domains in which the trusting domain honors the logon authentication of the trusted domain. Trust relationships can be created automatically (implicitly) or manually (explicitly). Trust relationships created implicitly do not need management. In this lesson you learn how to plan, create, and administer explicit trust relationships.
Trust Relationships
A trust relationship is a logical relationship established between domains to allow pass-through authentication, in which a trusting domain honors the logon authentications of a trusted domain. There are two domains in a trust relationship—the trusting and the trusted domain.
In Windows NT, trusts are one-way and nontransitive, and can require a great deal of administrator maintenance. Trusts were limited to the two domains involved in the trust and the trust relationship was one-way. In Windows Server 2003, trusts have three characteristics.
Trusts can be created manually (explicitly) or automatically (implicitly).
Taists can be either transitive (not bound by the domains in the trust relationship) or nontransitive (bound by the domains in the trust relationship).
Trusts can be one-way or two-way.
Windows Server 2003 authenticates users and applications using either the Kerberos version 5 or NTLM protocol. The Kerberos version 5 protocol is the default protocol for computers running Windows Server 2003. If any computer involved in a transaction does not support Kerberos version 5, the NTLM protocol is used.
When using the Kerberos version 5 protocol, the client requests a ticket from a domain controller in its account domain for presentation to the server in the trusting domain. This ticket is issued by an intermediary trusted by the client and the server. The client presents this trusted ticket to the server in the trusting domain for authentication.
When a client tries to access resources on a server in another domain using NTLM authentication, the server containing the resource must contact a domain controller in the client’s account domain to verify the account credentials. A trust relationship can also be created with any MIT version 5 Kerberos realm.
When a user is authenticated by a domain controller, the presence of a trust does not guarantee access to resources in that domain. Access to resources is determined solely by the rights and permissions granted to the user account by the domain administrator for the trusting domain. For information about providing access to resources , refer to Chapter 9, “Administering Active Directory Objects.”
