Information Technology Reference
In-Depth Information
Active Directory trusts were described in Chapter 4. This chapter discusses trust configuration,
trust administration, and trust authentication options. Recall that all domains in a forest trust
one another automatically through two-way transitive trusts, which you can't remove. In review,
here are the types of trusts you can configure:
• Shortcut trust
• Forest trust
• External trust
• Realm trust
One important requirement before creating any trust is that DNS must be configured so that
FQDNs of DCs in all participating domains can be resolved. DNS configuration might require
Active Directory-integrated forest-wide replication of zones, conditional forwarders, or stub
zones, depending on the type of trust being created and the OSs involved. Before you attempt to
create a trust, make sure you can resolve the FQDN of both domains from both domains by
using Nslookup or a similar tool.
A shortcut trust is a one-way or two-way transitive trust between two domains in the same forest
or two domains in trusting forests. Although all domains in a forest trust each other through
transitivity, a shortcut trust shortens or eliminates the path through domains that authentication
requests must travel. For example, a user who's a member of DomainA attempts to access
resources in DomainF. Assuming Domains B, C, D, and E lie in the trust path between DomainA
and DomainF, the authorization for resource access must traverse these four domains to be val-
idated. This process can cause delays or, if no domain controller is available in a domain along
the path, the access attempt could fail. A shortcut trust eliminates the full trust path by creating
a direct trust between DomainA and DomainF.
If you're creating a shortcut trust between domains in different forests, a forest trust between
the two forests must exist. To create a shortcut trust between domains in the same forest, open
Active Directory Domains and Trusts, and then open the Properties dialog box of the domain
node. Follow these steps:
1. In the Trusts tab, click the New Trust button to start the New Trust Wizard, and click Next.
2. In the Trust Name window, type the DNS name of the target domain (see Figure 10-6), and
then click Next.
Figure 10-6
Entering the target domain for the trust
Search WWH ::
Custom Search