none
A couple of questions about Trust relationships between domains and forests

    Question

  • Hello can someone please help me with the following questions as I am learning trying to understand the finer details of Kerberos Trust relationships (e.g. forest, domain, realm, external, shortcut). I am reading some Microsoft documentation but it does not always make things 100% clear or seems to contradict itself (or perhaps it’s just me being thick J )

    Scenario One

    If I have two (AD 2012 R2) Forests whereby the forest root domain on each is called ADF1 and XDF2 respectively.

    Under ADF1 (root domain) I have a sub-domain called SD1 then user SD1 I have a sub-domain called SD2 and under SD2 I have a sub-domain called SD3.

    Under XDF2 (root domain) I have a sub-domain called XD1 then user XD1 I have a sub-domain called XD2 and under XD2 I have a sub-domain called XD3.

    Question 1

    Am I correct in saying you can only have a ‘domain’ trust between domains in the ‘same’ forest.

    In other words, although you can set up a trust between two domains in separate forests this would not be called a ‘domain’ trust but rather an ‘external trust’ or a ‘forest trust’ but it would only be called a ‘forest trust’ if the two domains in question where the two root domains (ADF1 and XDF1 in this case)?

    Question 2

    If I create a trust relationship between SD1 and XD1 (e.g. non-root domains) between the two forests (as above I believe this is called an ‘external trust’) and let’s say SD1 is the ‘trusted domain’ then users in SD1 can access resources in XD1 (providing the ACL on the resource allows them to).

    However if my understanding is correct, I believe it is true to say (from what I have read) users in ‘SD3’ domain will not be able to access the trust setup on SD1 (as domain SD1 is not a direct parent or child of SD3) and therefore will not be able to access resources in XD1 domain?

    I say this because from what I have read it keep referring to must be a parent or child (not a grandparent of grandchild etc.) domain in order for the trust to be visible (and therefore accessible) despite the forest wide DTO (domain trust objects in AD).

    I would be most grateful for clarification on the above points

    Thanks in advance

    __AAnotherUser


    AAnotherUser__

    Saturday, January 21, 2017 3:30 PM

All replies

  • Hi,

    Based on my understanding:

    1>domain trusts are transitive;

    2>there major domain trusts: shortcut trust, external trust<exchange>,forest trust;

    3>in the same domain's clients automatically trusts each others;<created by Kerberos protocol>

    Then, I suppose I could answer your questions:

     For Q1>>>if the two domains in question where the two root domains (ADF1 and XDF1 in this case)?.

          A1>>>Yes, if the root domain is involved in, I suppose it is forest wide trust.

     For Q2>>>I believe it is true to say (from what I have read) users in ‘SD3’ domain will not be able to access the trust setup on SD1 (as domain SD1 is not a direct parent or child of SD3) and therefore will not be able to access resources in XD1 domain?

          A2:>>>"Each time you create a new child domain, a two-way transitive trust relationship (known as the parent-child trust) is automatically created between the parent and new child domain."

         For example: SD3 is son of SD2, SD2 is son of SD1 and combine with the transitive of domain trusts, I suppose grandpa:SD1 should trust SD3.

         "In this way, transitive trust relationships flow upward through the domain tree as it is formed, creating transitive trusts between all domains in the domain tree"

    https://technet.microsoft.com/en-us/library/cc783351%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

    Best regards,

    Andy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, January 23, 2017 5:52 AM
    Moderator
  • Hello Andy,

    Thanks very much for taking the time to reply, I will take a look at the information in the link you posted.

    I think I will also set-up a LAB and try a few configurations out

    __AnotherUser


    AAnotherUser__

    Monday, January 23, 2017 7:41 AM
  • Hi __AnotherUser,

    You're welcome!

    >>I think I will also set-up a LAB and try a few configurations out

    If you need more assistances, welcome to ask here.

    Best regards,

    Andy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, January 23, 2017 9:27 AM
    Moderator