NIST's guidance for a Zero Trust Architecture

Active Directory Fundamentals

Trusts in Active Directory: An overview

What you will learn from this article:

An Active Directory network may contain several domains in a hierarchical fashion. All the resources of one domain are not directly available to every other domain. The availability of resource sharing is governed by Active Directory trusts. In this article, we will take a look at what are trusts in Active Directory, how they are categorized, and the different types of trusts that can be established.

Active Directory trusts

Active Directory trusts are communication bridges established between one domain and another domain in the Active Directory (AD) network. When one domain trusts another domain in an AD network, resources from the trusted domain can be shared with the trusting domain. Thus, AD trusts are also a way for a user in the network to gain access to resources from other domains.

AD trust types

There are two ways of classifying AD trusts. They are as follows:

  1. Based on their characteristics
  2. Based on their direction

Based on their characteristics, AD trusts are classified into two categories, they are as follows:

  • Transitive trusts
  • Non-transitive trusts

Transitive trusts

Transitive trusts are trusts that can extend beyond the two domains that the trust connects. When a domain has a transitive trust with another domain, it can also trust and communicate between other domains that the trusted domain has established trust with.

Non-transitive trusts

Non-transitive trusts do not extend beyond the two domains that the trust connects. So, when a domain trusts another domain, it cannot communicate with the other domains that the trusted domain has communications with.

To understand transitive and non-transitive trusts better, consider three domains A, B, and C in two cases. In the first case, domain A trusts domain B, and domain B has a transitive trust with domain C. Therefore, domain A will automatically trust domain C thanks to its trust in domain B. In the second case, domain A trusts domain B, and domain B has a non-transitive trust with domain C. In this case, even though domain A has an indirect link to domain C through domain B, domain A does not trust domain C because the trust is non-transitive.

Based on the direction, AD trusts are classified into two categories. They are as follows:

  • One-way trusts
  • Two-way trusts

One-way trusts

One-way trusts mean that when a domain trusts another domain, that trust doesn’t replicate vice versa. Hence, the trust flows only one way.

Two-way trusts

In two-way trusts, when one domain trusts another domain, the other way is also trust. So, both domains can access the resources of the other.

To understand one-way and two-way trusts better, consider two domains, A and B. If domain A has a one-way trust with domain B, then domain A trusts domain B and can access resources from domain B. However, domain B does not trust domain A and cannot access resources from domain A. Now, if domain A has a two-way trust with domain B, it automatically means that domain B also trusts domain A, and both these domains can share resources between themselves.

With these two bases for categorizing trusts, there are five trust types in AD, which are as follows:

  • Parent-child trust
  • Tree-root trust
  • Forest trust
  • Shortcut trust
  • Realm trust

Parent-child trust

A parent-child trust is a two-way transitive trust. A parent-child trust is automatically established when a child domain is added to a parent domain. When new child domains are added, the trust path flows upward through the domain hierarchy.

Tree-root trust

Tree-root trusts are also two-way transitive trusts similar to parent-child trusts. When a new domain tree is created within a forest, a tree-root trust is automatically created between the new domain tree and all existing domain trees. For example, domain A is an existing domain with child domains B and C within a forest X. When a new domain D with child domains E and F are created since they come under the same forest X, domains D, E, and F will automatically be trusted by domains A, B, and C.

Forest trust

Forest trusts are transitive, and they can either be one-way or two-way trusts. Forest trusts are ones that occur between forests, and these trusts are manually created. When one forest trusts another forest, all the domains within the two forests will automatically trust each other.

Shortcut trust

Shortcut trusts are one-way transitive trusts. These trusts are created manually. These trusts are created when one domain needs to trust another domain by bypassing the hierarchy of trusts such as parent-child trusts or forest-root trusts. A shortcut trust is usually established to shorten what is called a trust path. A trust path is a path that an authentication process must take if two domains do not directly trust each other. So, direct trust is established. Hence, shortcut trust is used to make the authentication process between two domains simpler.

External trust

An external trust is a one-way non-transitive trust. These trusts are manually established. An external trust is established with an external domain outside the forest of the trusting domain.

Realm trust

Real trust is trust between a domain or a forest with another domain or a forest that is not based on Windows Active Directory. Realm-trusts allow for cross-platform communication between domains. This trust is one-way by default. To create a two-way trust, one must create trust in the other way.

Related posts
Active Directory Fundamentals

Active Directory Groups: An explanation

Active Directory Fundamentals

What is Azure Active Directory?

Active Directory Fundamentals

Active Directory Basics: Everything you need to know

Active Directory Fundamentals

DNS and Active Directory

Leave a Reply

Your email address will not be published. Required fields are marked *