Trusts Active Directory

In Active Directory, trusts are relationships established between domains or forests to allow users, groups, and computers from one domain or forest to access resources in another domain or forest. Trusts facilitate authentication and authorization processes across domain or forest boundaries. There are several types of trusts in Active Directory, each serving different purposes and offering different levels of access:

1. One-Way Trusts: One-way trusts allow access in one direction only, either from the trusted domain to the trusting domain or vice versa. There are two subtypes of one-way trusts:

   • Parent-Child Trust: Automatically created when child domains are created in a domain tree. The parent domain trusts child domains but not vice versa.

   • External Trust: Established manually between domains in different forests or between domains that do not share a contiguous namespace. It allows access from the trusted domain to the trusting domain or vice versa.

2. Two-Way Trusts: Two-way trusts allow access in both directions between the trusted and trusting domains. Users, groups, and computers in both domains can access resources in the other domain.

   • Shortcut Trust: A two-way trust established between two domains in different trees of the same forest to improve authentication performance. It allows direct authentication path between the two domains.

   • Forest Trust: A two-way trust established between two entire Active Directory forests. It allows trust between all domains in the trusting forest and all domains in the trusted forest.

3. Transitive Trusts: Transitive trusts are implicitly transitive, meaning they flow across multiple domains within a forest or across multiple forests in a forest trust. In a transitive trust relationship, if Domain A trusts Domain B and Domain B trusts Domain C, then Domain A trusts Domain C.

4. Non-Transitive Trusts: Non-transitive trusts do not extend beyond the two domains involved in the trust relationship. They are limited to the specific domains involved and do not flow across other domains or forests.

5. Selective Authentication: Selective authentication is a feature of forest trusts that allows administrators to specify which users or groups in a trusted forest can access resources in the trusting forest. This provides finer-grained control over access permissions.

Overall, trusts in Active Directory are essential for enabling seamless collaboration and resource access across domain and forest boundaries. Understanding the different types of trusts and their characteristics is crucial for designing and managing complex Active Directory environments.