通过

Creating Domain and Forest Trusts

Applies To: Windows Server 2008, Windows Server 2008 R2

In Windows Server 2008, there are four trust types that must be created manually. External trusts, realm trusts, and forest trusts help provide interoperability with realms or with domains outside your forest. Shortcut trusts optimize access to resources and logons that are made between ___domain trees in the same forest.

This section includes the following tasks for creating ___domain and forest trusts:

Note

A trust does not inherently allow users in a trusted ___domain to have access to resources in a trusting ___domain. Users have access when they are assigned the appropriate permissions. In some cases, users in trusted domains may have implicit access if the resources are assigned to members of the Authenticated Users group.

Before you use the procedures in these tasks, review the issues in Known Issues for Creating Domain and Forest Trusts.

New Trust Wizard terminology

You create trusts in Windows Server 2008 with the New Trust Wizard. Before you use the New Trust Wizard, review the following terminology. Each highlighted term represents the exact term as it is used in the wizard:

  • This ___domain: The ___domain from which you launch the New Trust Wizard. When you start the wizard, it immediately verifies your administrative credentials in the ___domain for which you are the administrator. Therefore, the wizard uses the term “this ___domain” to represent the ___domain that you are currently logged on to.

  • Local ___domain / Local forest: The ___domain or forest where you start the New Trust Wizard.

  • Specified ___domain / Specified forest: The other ___domain or forest that this local ___domain or local forest will trust. Although the New Trust Wizard is aware of the ___domain context in which it is running, it does not have knowledge of the other ___domain that you want to create the relationship with. After you type the name of the other ___domain or forest in the Trust Name page, that name is used whenever the wizard refers to the specified ___domain or specified forest.

  • Two-way trust: A trust relationship between two domains in which both domains trust each other. For example, ___domain A trusts ___domain B, and ___domain B trusts ___domain A. All parent-child trusts are two-way trusts.

  • One-way: incoming trust: A one-way trust relationship between two domains in which the direction of the trust points toward the ___domain from which you start the New Trust Wizard (and which is identified in the wizard as This ___domain). When the direction of the trust points toward your ___domain, users in your ___domain can access resources in the specified ___domain. For example, if you are the ___domain administrator in ___domain A and you create a one-way, incoming trust to ___domain B, this provides a relationship through which users who are located in ___domain A can access resources in ___domain B. Because this relationship is one way, users in ___domain B cannot access resources in ___domain A.

  • One-way: outgoing trust: A one-way trust relationship between two domains in which the direction of the trust points toward the ___domain that is identified as Specified ___domain in the New Trust Wizard. When the direction of trust points toward the specified ___domain, users in the specified ___domain can access resources in your ___domain. For example, if you are the ___domain administrator in ___domain A and you create a one-way, outgoing trust to ___domain B, this action provides a relationship through which users who are located in ___domain B can access resources in ___domain A. Because this relationship is one way, users in ___domain A cannot access resources in ___domain B.

  • Both sides of the trust: When you create external trusts, shortcut trusts, or forest trusts, you have the option to create each side of the trust separately or both sides of the trust simultaneously. If you choose to create each side of the trust separately, you must run the New Trust Wizard twice—once for each ___domain. When you create trusts separately, you must supply the same trust password for each ___domain. As a security best practice, all trust passwords should be strong passwords.

  • Domain-wide authentication: An authentication setting that permits unrestricted access by any users in the specified ___domain to all available shared resources that are located in the local ___domain. This is the default authentication setting for external trusts.

  • Forest-wide authentication: An authentication setting that permits unrestricted access by any users in the specified forest to all available shared resources that are located in any of the domains in the local forest. This is the default authentication setting for forest trusts.

  • Selective authentication: An authentication setting that restricts access over an external trust or forest trust to only those users in a specified ___domain or specified forest who have been explicitly given authentication permissions to computer objects (resource computers) that reside in the local ___domain or the local forest. This authentication setting must be enabled manually.

  • Trust password: An option in which both domains in a trust relationship share a password, which is stored in the trusted ___domain object (TDO) object in Active Directory Domain Services (AD DS). When you choose this option, a strong trust password is generated automatically for you. You must use the same password when you create a trust relationship in the specified ___domain. If you choose to create both sides of the trust simultaneously, you run the New Trust Wizard once.