Last Updated on January 23, 2015 by Dishan M. Francis
Trusts, simply we can define as a bond between multiple domains, multiple forests. It controls how or what been allowed between domains and forests.
Let’s assume we have a company called Contoso Inc. and its running with domain contoso.com. Company recently merge with another company called XYZ Inc. and its running with domain xyz.com. Management wants to allow their resources to been used by both company users. For ex- A user in contoso.com will required to access a share in xyz.com file server. Company wants to do it with minimum impact or changes. This is where “trusts” comes in to the picture. Using trusts we can control who will be trusted, how it will be and what sort of access users have on resources.
Before we move in to the configurations it is important to understand the concepts of trusts.
Trusting Domain – This will be the domain contains the resources which will need to allow access. As ex- in my domain contoso.com have a file share called “Sales”. I needs to allow sales users from XYZ.com to access it. In here contoso.com act as trusting domain.
Trusted Domain – This will holds the resources which you wish to grant access. As ex- if we take same above example, XYZ.com domain holds the user accounts which will be allow to access resources on contoso.com. So XYZ.com act as trusted domain.
Transitivity – Trust transitivity allows to extend the trust in to child domain level. For example with trust I may need to allow users in child domains of xyz.com also to have access in to contoso.com domain resources. I can do it with trust transitivity.
We can categorize trusts based on the direction it’s applying to.
Two-Way Trust – This also known as bidirectional trust. This is the trust mostly been used among organizations. In here both sides on the trust work as trusting and trusted domains.
One-way Incoming Trust – In here trust is created in trusted domain and trusted domain can access resources in trusting domain only.
One-way Outgoing Trust – In here resources in remote, specified domain can authenticated in initiating domain.
if any questions about the post feel free to contact me on firstname.lastname@example.org