none
Forest domain relation with tree root domain.

    Question

  • I have 3 domains, A,B,C.  Two ways trust of forest has been created between A and B. C was created as tree root domain(not a child domain) of B. C and B has tree root trust, also two ways. In this configuration, what is trust relation/type between A and C ? Does A user has privilege to access resource in Domain C ? All machines are windows server 2008. 
    Thursday, March 16, 2017 3:46 AM

All replies

  • Does A user has privilege to access resource in Domain C ? All machines are windows server 2008. >>>> You should also configure trust between A and C for access resources.

    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Thursday, March 16, 2017 6:08 AM
  • Thank you for reply!

    As document described in https://technet.microsoft.com/en-us/library/cc773178(v=ws.10).aspx. Two ways Forest trust  can provide the following benefits:

    • Complete two-way trust relationships with every domain in each forest

    Domain C is tree of Domain B ,  why here no implicit trust between A and C ?  Is there any misunderstanding of domain trust?   

    Thursday, March 16, 2017 8:20 AM
  • Hi,

    If you want that domain A user could access the resource of domain C, you need create trust relationship between domain A and domain C.

    Your scenario is similar with below.

    There are 3 domain, domain A, domain B and domain C.

    You has create two-way transitive trust between domain A and domain, create two-way trust between domain B and domain C.

    The result:

    Users in domain B to access resources in either domain A or domain C

    • Users in domain C to access resources in domain B
    • Users in domain A to access resources in domain B
    • User in domain A cannot access resource in domain C
    • User in domain C cannot access resource in domain A

    And in your scenario, domain C is the tree root of domain B. There is two-way transitive trust between domain B and domain C. If you create a two-way transitive trust between domain A and domain C. The result:

    • User in domain A to access resource in domain C and domain B
    • User in domain C to access resource in domain A and domain B
    • User in domain B to access resource in domain A and domain C

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.



    Thursday, March 16, 2017 9:30 AM
    Moderator
  • Thank you for reply!

    As document described in https://technet.microsoft.com/en-us/library/cc773178(v=ws.10).aspx. Two ways Forest trust  can provide the following benefits:

    • Complete two-way trust relationships with every domain in each forest

    Domain C is tree of Domain B ,  why here no implicit trust between A and C ?  Is there any misunderstanding of domain trust?   


    I think it is valid for C and B,but for A and C you should also configure forest trust.(two-way)

    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    • Proposed as answer by Akabe Sunday, March 19, 2017 3:01 PM
    Thursday, March 16, 2017 10:52 AM
  • If there is a forest trust between two forests, than transitivity applies to all domains in both forests. Effectively, there is a trust between A and C. This allows you grant permission to resources in C to users in A - and vice versa

    hth
    Marcin

    Thursday, March 16, 2017 11:26 AM
  • @Burak:-

     A <--->B has two way trust 

    C <---> B has two way trust 

    Then shouldn't there be an automatic trust between A & C (as A trusts B & B trusts C)?



    MCSA Office 365 | MCSA Exchange server 2010 | Red Hat Certified Engineer

    Thursday, March 16, 2017 11:27 AM
  • @Burak:-

     A <--->B has two way trust 

    C <---> B has two way trust 

    Then shouldn't there be an automatic trust between A & C (as A trusts B & B trusts C)?



    MCSA Office 365 | MCSA Exchange server 2010 | Red Hat Certified Engineer

    For A and C needs to be configure two way trust.

    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Thursday, March 16, 2017 11:32 AM
  • Hi,

     A <--->B has two way trust 

    C <---> B has two way trust 

    >>>In your scenario, I have tested for this. You need create a trust relationship between domain A and domain C.

    And as mentioned above I replied, if you only create two-way transitive trust between domain A and domain C (which is root domain of domain B), there is a trust relationship between domain A and domain B.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Akabe Sunday, March 19, 2017 3:01 PM
    Sunday, March 19, 2017 2:23 PM
    Moderator
  • Agreed with Jay and Burak now.

    Read the description again and i assume it says 

    A is one forest 

    combination of B.com tree and C.com tree is the second AD forest 

    Since there is a automatic trust between B & C (Bcz of being part of one forest) > A will trust B (Due to explicit trust) but does not know C is a added as a root domain 

    Hence it is necessary for you create two way trust between A & C 

    If C.com was added as a child domain in B.com then the story would be different 


    MCSA Office 365 | MCSA Exchange server 2010 | Red Hat Certified Engineer



    • Edited by Akabe Sunday, March 19, 2017 4:13 PM
    Sunday, March 19, 2017 2:59 PM
  • Hi,

    Are there any updates?

    If the reply above has resolved your problem, please mark it as answer as it would helpful to anyone who encounters the similar issue.

    Thank you.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, March 23, 2017 12:13 PM
    Moderator