3.1 Defining trust relationships

Trust relationships define an administrative and security link between two Windows domains or forests. They enable a user to access resources that are located in a domain or forest that is different from the user s definition domain or forest. The creation of a trust between domains or forests does not automatically grant users access to resources in the trusting domains or forests: The domain or forest administrator still has to assign access rights to the users for the appropriate resources.

In the context of a Windows domain or forest, a trust basically means that one domain trusts the authentication authorities of another domain, or, in other words, it creates cross-domain visibility and usability of security principals. When security authority A has authenticated a user, Joe, and security authority B trusts security authority A (as illustrated in Figure 3.1), B will not start another authentication process in order to verify user Joe s identity. In Windows domain speak, the fact that a domain controller (DC) in domain A has authenticated user Joe and the existence of a trust between domains A and B are enough for the DCs in domain B to trust user Joe s identity.

Figure 3.1: Security authorities and trust relationships.

When a trust relationship is set up between two domains, there is always a...