Join Mike Danseglio for an in-depth discussion in this video Trusts summary, part of Windows Server 2012 Active Directory: Management and Implementation.
- View Offline
- Now that we have talked about the different types of trust that can be configured in your active directory environment, let's kind of wrap it all up in a single little nut shell. We actually looked at if you have a domain where the user accounts reside, and a domain and a domain where the resources reside, they have names in the environment. The trusted domain has the users, the trusting domain has resources. Or, Tad has the users, Abe has the things. We've talked about what a transitive and non-transitive trust relationships are, and we associated that with, if I have a garage and I trust this person over here to use my tools, and I trust this person over here to use my tools, that doesn't mean that this person over here can use that persons tools, and vise versa, because they have to have their trust relationship set up themselves if its a non-transitive environment.
With a transitive environment, means I can let John use Adams tools all the time without having Adams approval, if it's transitive. We then looked at the different types of trust that are in our environment out there, and we looked at the automatic trust relationships that are created, when I create a child domain in my environment, or when I create another tree inside my environment with parent-child relationships and forest root the tree root relationships. We talked about, and looked at what a short cut trust was, to cut down some of the network traffic and how to go about creating it.
And then we talked about the external, the forest level, and the kerberos ones. The big things about these, with those trust relationships were, you need to know admin rights on both ends, to create that trust relationship. Or one person would create it, and the other person would then create it, so you had to have had a trust password. Both administrators have to know what that trust password was. And then before you can create that trust relationship out there, you had to have name resolution. And that's probably, if i were going to do anything, before setting up a trust relationship, if I'm not really really strong in what name resolution is, and how to go about configuring name resolution, I'd want to take a look at how DNS works, and how can I resolve the names of those other domains.
These top three I don't have to worry about that, because in these top three they are all part of the same active directory structure, so the DNS inside the active directory does the name resolution for me. But for those bottom three, if you don't have name resolution, you're not going to be able to set the trust relationships up at all. Even if you know the administrator password, or you've already negotiated what the trust password is going to be. Then finally, the biggie about the forest level trust is your all domains, in both forests have to be a minimum of Windows 2003, domain functional level and your forests have to have a minimum of forest functional level 2003, this set up those forest level trusts.
So again, forest level trust, trust in general, allow two domains to access resources between each others domain.