Trust Relationships within Active Directory Directory Services
During the first days of computer use in offices, multiple users accessed the same computer using their own user accounts. This changed with the invention of the personal computer. Only one person was expected to use each computer, eliminating the need for user accounts.
Once it became more common to connect multiple computers in an office to a network, it became necessary to create user accounts, to administer file, print, email, and other services using servers, and to regulate access to shared resources.
What is Active Directory?
In any business or educational setting, computers connect to a network and access shared file, print, and other services with their own user accounts. The users’ individual permissions levels depend on their roles within the company. For example, a university student would not have the same ability to access, delete, edit, or even see certain files over which the school’s systems administrator would have full control. To create and maintain authentication policies, a systems administrator uses Active Directory.
Basic Active Directory Structure
The smallest unit in the AD system is called an organizational unit. OUs are containers for users, groups, and computers, and they exist within a domain. A domain is a logical group of computers within a boundary, which have the same set of rules for access and administration. Domains are located within trees. A tree is a collection of domains arranged hierarchically within the same namespace. The root domain is exactly what it sounds like: the root of the tree.
Directly underneath the root, there can be a child domain (or subdomain). Child domains can also have child domains of their own.
Conceptual diagrams of forest structure within Active Directory depict an upside-down tree, in which the root is placed at the top.
By default, child objects inherit the permissions of their parent objects (though the sysadmin can change that). Parent and child objects share common trusts, which Microsoft Technet defines as “authentication pipelines that must be present in order for users in one domain to access resources in another domain.”
In some cases, more than one namespace is administered by the same person or people. This happens most often after a business merger. If it is advantageous to the organization, the namespaces can be connected by a forest root domain, and the namespaces are then referred to as forests.
What are the different kinds of trusts?
Transitivity and Direction
All trusts are either one-way or two-way, and either transitive or non-transitive.
In a two-way trust, permissions extend mutually from both objects. One-way trusts are only given from one domain to another.
A transitive trust is a trust that is extended not only to a child object, but also to each object that the child trusts. (In contrast, a non-transitive trust extends only to one object.)
Default Trusts
Active Directory automatically creates two types of two-way, transitive trusts when new objects are joined to a domain. When a new child domain is created, AD applies a parent-child trust. When a new tree is added to a domain, AD applies a tree-root trust.
Other Trusts
Sometimes it is necessary to manually set up additional trust relationships. For instance, to access an object within one forest from another object in a different forest, by default, it is usually necessary to get permissions from the parent object first, accessing permissions up to the forest root, through the forest trust, and down the tree to the destination object. This process can take too long at times. In this case, it would be helpful to create a shortcut trust, to circumvent the forest-domain hierarchy and give one object direct access to an object in a different tree.
External trusts are non-transitive trusts between two domains in different forests.
Forest trusts are manually-created transitive trusts between one entire forest and another.
Another trust that can be set up manually is a realm trust. This is useful for communication between Microsoft-based networks and non-Microsoft networks. For instance, in the event that one company annexes another company with a different OS setup, a realm trust can be created at the root level to enable access between the two sites.
Conclusion
This essay has outlined Active Directory’s basic structure and defined different trust relationships. There is a more thorough video explanation of trust relationships at https://www.youtube.com/watch?v=4M9W33QkCMQ.
