Managing Trusts
As you learned earlier, one of the most important differences between Windows NT 4.0 domains and Windows 2000 domains is the way trust relationships are created and maintained between domains within the organization. Rather than establish a web of one-way trusts as required in Windows NT 4.0, Windows 2000 implements transitive trusts that span the domain tree and forest structure. This model greatly simplifies administration.
Trust Relationships
Trust relationships in Windows NT 4.0 can be represented in the following equation (with n equaling the number of domains):
Windows NT 4.0 domains(n * (n1))
Therefore a company with 6 domains needs to establish 30 trust relationships (6*(61)).
Trust relationships among Windows 2000 domains can be represented in the following equation:
Windows 2000 domains(n1)
Therefore, a company with 6 domains needs to establish 5 trust relationships (61).
That's a significant difference in the number of trust relationships that must be managed, particularly when you're in a corporation with hundreds of NT 4.0 domains!
Another trust feature of Windows 2000 domains is that they are created and implemented by default. As you install domain controllers, trusts are automatically created. This process is tied to the fact that Windows 2000 domains are hierarchically created. That enables Windows 2000 to automatically know which domains are included in a given domain tree, and when trust relationships are established between root domains, to automatically know which domain trees are included in the forest.
In contrast, administrators had to create (and subsequently manage) trust relationships between Windows NT domains, and they had to remember which way the trust relationships flowed (and how that affected user rights and permissions in either domain). The difference is significant, the management overhead is sliced to a fraction, and the implementation of such trusts is more intuitiveall due to the new trust model and the hierarchical approach to domains and domain trees.
Windows 2000 incorporates three types of trust relationships. The trust relationships available to Windows 2000 domains are the following:
-
One-way trusts
-
Transitive trusts
-
Cross-link trusts
One-Way Trusts
One-way trusts are obviously not two-way, nor are they transitive. You can still create one-way trusts just like in a Windows NT 4.0 environment. However, creating multiple one-way trusts does not create a transitive trust.
One-way trusts can be used when creating trust relationships with Windows NT 4.0 domains.
Note - Because down-level domains cannot participate in Windows 2000 transitive trust environments, you must create one-way trusts for interoperability with down-level Windows NT domains.
You can also implement one-way trust relationships between domains in different Windows 2000 forests. This capability allows you to isolate the trust relationship to the domain where the relationship is created and maintained rather than create a trust relationship that affects the entire forest. These one-way trusts are called explicit trusts.
Transitive Trusts
Transitive trusts establish a trust relationship between two domains that is able to flow through to other domains. If you assume that domain A trusts domain B, and domain B trusts domain C, then domain A inherently trusts domain C and vice versa. Let's look at the Windows 2000 domain example in Figure 3.2.
In this example, kevinkocis.com trusts na.kevinkocis.com, and na.kevinkocis.com trusts il.na.kevinkocis.com. Therefore, kevinkocis.com trusts il.na.kevinkocis.com.
Transitive trusts reduce the administrative overhead traditionally associated with the domain trust maintenance. In Windows 2000, transitive trust relationships between parent and child domains are automatically established whenever new domains are created in the domain tree.
Note - Transitive trusts are limited to Windows 2000 domains and to domains within the same domain tree or forest. You cannot create a transitive trust relationship with Windows NT 4.0 domains or between two Windows 2000 domains from different forests.
Cross-Link Trusts (Shortcut Trusts)
Cross-link trusts (or shortcut trusts, as they are sometimes referred to) can increase authentication performance by establishing one-way transitive trusts between two domains. With cross-link trusts, a virtual link is created within the tree or forest hierarchy, enabling faster trust relationship confirmations.
Cross-link trusts are established between nonadjacent domains that are logically distant from each other in a forest or domain tree. You should implement cross-link trusts only if your network is experiencing heavy authentication traffic along the path between the domains. In Figure 3.3, if users in the bz domain of the tree are continually accessing resources in the il domain in the other branch, the authentication traffic can affect network and authentication performance.
A better approach is to create a cross-link trust between domains bz and il, which enables authentications between the domains to occur without traversing the domain tree back to the root and down the other branch. The result is better performance in terms of authentication and less traffic to domains and DCs not directly involved in the process.
Adding Trusts
Two-way transitive trusts are created by default when additional Windows 2000 domains are added to the tree or forest. In the case of down-level domains, explicit trusts must be created.
To create an explicit domain trust, do the following:
-
Open Active Directory Domains and Trusts.
-
In the console tree, right-click the domain node for the domain you want to administer, and then click Properties.
-
Click the Trusts tab.
-
Depending on your requirements, click either Domains Trusted By This Domain or Domains That Trust This Domain, and then click Add.
-
If the domain to be added is a Windows 2000 domain, type the full DNS name of the domain.
Or, if the domain is running an earlier version of Windows NT, type the domain name.
-
Optionally, you can type and confirm the password for this trust.
-
Repeat this procedure on the domain that forms the other part of the explicit trust relationship.
Note - The password must be accepted in both the trusting and trusted domains. Remember to use the Run As feature to administer a domain to which you are not currently logged on.
Modifying Trusts
Even though trusts are created by default, if your enterprise consists of multiple down-level domains, you may need to modify these trusts. Cross-link trusts may also require verification at certain timed intervals (such as in the event of a down-level domain upgrading to Windows 2000, or the separation of a previous trust collaboration).
To verify a trust, follow these steps:
-
Open Active Directory Domains and Trusts.
-
In the console tree, right-click one of the domains involved in the trust you want to verify, and then click Properties.
-
Click the Trusts tab.
-
In either Domains Trusted By This Domain or Domains That Trust This Domain, click the trust to be verified, and then click Edit.
-
Click Verify/Reset.
To revoke a trust, follow these steps:
-
Open Active Directory Domains and Trusts.
-
In the console tree, right-click one of the domain nodes involved in the trust you want to verify, and then click Properties.
-
Click the Trusts tab.
-
In either Domains Trusted By This Domain or Domains That Trust This Domain, click the trust to be revoked, and then click Remove.
-
Repeat this procedure for the other domain involved in the trust.
Note - You cannot revoke the default two-way transitive trusts between domains in a forest. Only manual trusts can be removed.