Trust Relationships

Trust Fundamentals

Trusts are authentication relationships between domains or forests that allow users in one domain to access resources in another domain.

Trust Direction:

• One-Way Trust: Users in trusted domain can access resources in trusting domain

• Two-Way Trust: Users in both domains can access resources in the other domain

Trust Transitivity:

• Transitive: Trust relationships extend through a chain of trust

• Non-Transitive: Trust relationships do not extend beyond direct participants

Trust Types

Automatic Trusts:

Parent-Child Trust:

• Created automatically when a child domain is added

• Two-way transitive trust

• Enables seamless resource access within domain tree

Tree-Root Trust:

• Created automatically between forest root and tree root domains

• Two-way transitive trust

• Enables forest-wide resource access

Manual Trusts:

External Trust:

• One-way or two-way non-transitive trust

• Between domains in different forests

• Used for specific resource sharing scenarios

Forest Trust:

• Two-way transitive trust between entire forests

• Enables authentication and authorization across forests

• Requires forest functional level compatibility

Realm Trust:

• Trust with non-Windows Kerberos realms

• Enables authentication with UNIX/Linux systems

• Can be one-way or two-way

Shortcut Trust:

• Improves authentication performance

• Creates direct trust path between domains

• Reduces authentication referral chain

Trust Security Considerations

SID Filtering:

• Prevents SID history injection attacks

• Enabled by default on external trusts

• Blocks dangerous SIDs from trusted domains

Selective Authentication:

• Requires explicit permission for cross-forest access

• Users must be granted "Allowed to Authenticate" permission

• Provides additional security layer for forest trusts

Authentication Policies:

• Control how authentication occurs across trusts

• Can restrict authentication methods and locations

• Part of advanced threat protection strategies