Information Technology Reference
In-Depth Information
One-Way and Two-Way Trusts
A
one-way trust
exists when one domain trusts another,
but the reverse is not true, as in Figure 4-13. Domain A trusts Domain B, but Domain B doesn't trust
Domain A. So although Domain B's users can be given access to Domain A's resources, Domain
A's users can't be given access to Domain B's resources. More common is the
two-way trust
, in
which users from both domains can be given access to resources in the other domain.
Transitive Trusts
A
transitive trust
is named after the transitive rule of equality in mathe-
matics: If A=B and B=C, then A=C. When applied to domains, if Domain A trusts Domain B and
Domain B trusts Domain C, then Domain A trusts Domain C. The automatic trust relationships
created among domains in a forest are transitive two-way trusts. These trusts in a forest follow
the domain parent-child relationship in a tree and flow from the forest root domain to form the
trust relationship between trees. Figure 4-14 shows two-way transitive trusts between all
domains in a forest. The trust relationship between branches of the tree (US.coolgadgets.com and
UK.coolgadgets.com) and between trees flows through the forest root domain.
4
Coolgadgets.com tree
Coolgadgets.com
(forest root)
Niftytools.com tree
Niftytools.com
US.coolgadgets.com
UK.coolgadgets.com
Asia.niftytools.com
Americas.niftytools.com
R&D.US.coolgadgets.com
Figure 4-14
Transitive two-way trusts in a forest
The transitive nature of these trust relationships means that R&D.US.coolgadgets.com trusts
Asia.niftytools.com because R&D.US.coolgadgets.com trusts US.coolgadgets.com, which trusts
Coolgadgets.com, which in turn trusts Niftytools.com, which trusts Asia.niftytools.com. Because
the trusts are two-way, the reverse is also true. Unfortunately, for the trust between
R&D.US.coolgadgets.com and Asia.niftytools.com to work, authenticating a user in
R&D.US.coolgadgets.com must be referred to a domain controller in each domain in the path to
Asia.niftytools.com. This authentication referral process can cause substantial delays when a
Search WWH ::
Custom Search