An Active Directory network many contains several domains in a hierarchical fashion. All the resources are one domain are not directly available to be every other domain. A trust in Active Directory is a secure authentication communication between Domain and Forest. Trust enables you to grant access to the resource to users, groups, and computers across the different domains.
When one domain trusts another domain in an AD network, a resource from the trusted domain can be shared with the trusting domain. Thus, AD trusts are also a way for a user in the network to gain access to resources from other domains.
AD Trust types
- Transitive Trust
- Non-Transitive trust
Basically, Transitive trust is a two-way relationship automatically created between parent and child domains in Microsoft Active Directory Forest. When a domain is created, it shares the resource with its parent domain by default, enabling an authenticated users to access a resource in both the child and parent.
For example, In an Active Directory transitive trust relationship, if domain A (a.com) trusts domain B (b.com), and domain B has a transitive trust with domain C (c.com), therefore domain A automatically trusts domain C.
Inside Non-Transitive trust, if domain A trusts domain B, and domain B has a non-transitive trust with domain C. In this case, even though domain A has an indirect link to domain C through domain B, domain A does not trust domain C because the trust is non-transitive.
Active Directory is classified into two categories; they are as follows –
- One way Trust
- Two-way Trust
It means that when a domain trusts another domain, that trust does not replicate visa versa. Hence, the trust flows only one way.
For example, if domain A has a one-way trust with domain B, then domain A trusts domain B and can access a resource from domain B. However, domain B does not trust domain A and cannot access a resource from domain A.
In two-way trust, when one domain trusts another domain, the other way is also trust. So, both domains can access the resource of the other.
For example, if domain A has two-way trust with domain B, it automatically means that domain B also trusts domain A, and both domains can share resources between themselves.
There are Five types of Trust in Active Directory –
- Parent-child Trust.
- Tree-Root Trust.
- Forest Trust.
- Shortcut Trust.
- Realm Trust.
- External Trust.
Parent-child trust is implicitly established. It is a two-way transitive trust. Parent-child trust is automatically generated when a child domain is added to a parent domain. When a new child domain is added, the trust path flows upward through the domain hierarchy.
Tree-root trust is also a two-way transitive trust similar to parent-child trust. When a new domain tree is created within a forest, a tree-root trust is automatically created between the new domain tree and all exiting tree domains.
Forest trust are transitive trust, and they can either one-way or two-way trust. It is explicitly transitive (between two forest) created trust between two forest root domains. Forest trust are manually created, one-way transitive or two-way transitive trust that allows you to provide access to the resource between multiple forest. It required DNS resolution to be established between forests.
Forest trust cannot be extended to other forests, for example, if Forest1.com trusts Forest2.com, and another forest Forest3.com trust is created between Forest2.com and Forest3.com, Forest1.com does not have an implied trust. If a trust is required, one must be manually created.
Shortcut trust are manually created one-way, transitive trusts. They can only exist within a forest. They are created to optimize the authentication process shortening the trust path. These trusts are created when one domain needs to trust another domain by bypassing the hierarchy of trusts such as parent-child trust and Tree-root trusts.
An External trust is a one-way non-transitive trust. These trusts are manually established. An external trust is established with an external domain outside the forest of the trusting domain.
These kinds of trust between a domain or a forest with another domain and a forest that is not based on Windows Active Directory. A Realm Trust can be established to provide resource access and cross-platform inter-operability between an AD DS Domain and non-windows Kerberos v5 Realm.
In this blog, we understood that how many types of Trust are in Active Directory. I hope this blog is very helpful for you. If after reading this blog, you have any doubts please feel free to contact us at +91 9773973971 or you can get in touch with us through the mail.
Linux and Server Administrator