Domain and Forest Trusts

Domain and Forest Trusts:

Trusts is a relationship that allows users in a domain to be authenticated and using resources in another domain.

Trust types are: External, Forest, Realm and Shourtcut.

All Trusts types can be created in one way or two way direction.

Forest Trust and Shourtcut Trust are transitive, External Trust is nontransitive and Realm Trust is transitive or nontransitive.

The Trust Transitivity allows the trust relationship to be extended outside the two domains which the trust was created.

In Windows Server 2008/2008 R2 enviroment any time a child domain in a forest is created a two way transitive trust is created by default with the parent domain.

The two way trust means that users in domain A can access resources in domain B and users in domain B can also access resources in domain A.

One way trust means that in trust between domain A and domain B, users in domain A can access resources in domain B. However, users in Domain B cannot access resources in Domain A.

Forest Trust:

Forest Trust is created between two root domains in two different forest .

Before creating forest trust you must ensure that your DNS is set up properly. You can verufy your DNS using nslookup and for more info you can read this article: http://go.microsoft.com/fwlink/?LinkId=92715

You can configure DNS conditional forwarders in each DNS namespace or creating a secondary DNS Zone to route queries for names in the other namespace.

External Trust:

External Trust created when you need to access recources that located in a separate forest or when users need access to resources in a Windows NT 4.0.

Shourtcut trust:

It used when you want to optmize the authentication process, authentication request must pass through the domain trees. In some complex forests it may take time for users to be authenticated. Shourtcut trust is needed when users in domain alaways need some resources in a spacific domain the located in another forest.

How to create Two Way Forest Trust:

Clikc Start Menu > Administrative Tools > Active Directory Domains and Trusts.

Right-click the domain node for the domain that you want to establish a trust with, and then click Properties.

Choose Trusts tab, click New Trust, and then click Next.

Type the DNS or NetBIOS name of the domain, then click Next.

Choose  Forest trust, then click Next.

Choose Two-way, then click Next.

Choose Both this domain and the specified domain, then click Next.

This option to quickly create both sides of a trust by completing a single instance of the New Trust Wizard , the administrator running the wizard must acquire the appropriate administrative credentials for each domain in the trust relationship.

The option “This domain only” is used when you want to create each side of the trust separately.

Now you must type the user name and password for the appropriate administrator in the specified domain.

On the Outgoing Trust Authentication Level--Local Forest box choose Forest-wide authentication.

Again you must choose Forest-wide authentication.

On the Trust Selections Complete box, review the results, and then click Next.

On the Trust Creation Complete box, review the results, and then click Next.

On the Confirm Outgoing Trust box, click Yes, confirm the outgoing trust and type administrative credentials from the specified domain.

On the Confirm Incoming Trust box , click Yes, confirm the outgoing trust and type administrative credentials from the specified domain.

Now Trust relationship is created, ckick Finish.

How to configure a firewall for domains and trusts:

For Windows Server 2008/Windows Server 2008 R2

Client Port(s)	Server Port	Service
49152 -65535/UDP	123/UDP	W32Time
49152 -65535/TCP	135/TCP	RPC-EPMAP
49152 -65535/TCP	138/UDP	Netbios
49152 -65535/TCP	49152 -65535/TCP	RPC
49152 -65535/TCP/UDP	389/TCP/UDP	LDAP
49152 -65535/TCP	636/TCP	LDAP SSL
49152 -65535/TCP	3268/TCP	LDAP GC
49152 -65535/TCP	3269/TCP	LDAP GC SSL
53, 49152 -65535/TCP/UDP	53/TCP/UDP	DNS
49152 -65535/TCP	135, 49152 -65535/TCP	RPC DNS
49152 -65535/TCP/UDP	88/TCP/UDP	Kerberos
49152 -65535/TCP/UDP	445/NP-TCP/NP-UDP	SAM/LSA

For more information about Domains and Trust: http://technet.microsoft.com/en-us/library/cc736526(WS.10).aspx