Windows Server 2012 AD DS domains
can be linked to each other through the use of a concept known as
trusts. A confidence is primarily a mechanism which makes it possible resources in a field to be accessible by the users authenticated from another field. AD
trusts take on many forms but typically fall into one of the four
categories described in the following sections.
Transitive trusts are automatic
two-way trusts that exist between domains in the same forest in AD DS.
These trusts connect resources between domains in AD DS and are
different from explicit trusts in that the trusts flow through from one
domain to the other. In other words, if Domain A trusts Domain B, and
Domain B trusts Domain C, Domain A trusts Domain C. This flow greatly
simplifies the trust relationships between Windows domains because it
forgoes the need for multiple exponential trusts between each domain.
An explicit confidence is one which is installed manually between the fields to envisage a specific way for the authentification dividing between the fields. This kind of trust relationships can be with one way or bidirectional, according to the needs for the environment. In other words, all trusts in legacy Windows NT 4.0 could have been
defined as explicit trusts because they all are manually created and do
not allow permissions to flow in the same way as transitive trusts do.
The use of explicit trusts in AD DS allows designers to have more
flexibility and to be able to establish trusts with external and
down-level domains. All trusts between AD DS domains and other forest
domains that aren’t in Windows Server 2003, Windows Server 2003 R2,
Windows Server 2008, Windows Server 2008 R2, or Windows Server 2012
forest functional level are explicit trusts.
A shortcut trust is essentially an explicit
trust that creates a shortcut between any two domains in a domain
structure. For example, if a domain tree has multiple subdomains that
are many layers deep, a shortcut trust can exist between two domains
deep within the tree, similar to the shortcut trust shown in Figure 1.
This relationship allows for increased connectivity between those two
domains and decreases the number of hops required for authentication
requests. Normally, those requests would have to travel up the
transitive trust tree and back down again, thus increasing overhead.
Figure 1. Shortcut trusts minimize hops between domains.
The example in Figure 1
shows how a shortcut trust could theoretically be used to reduce the
overhead involved in sharing resources between the two sales subdomains
in the companyabc.com tree.
Cross-Forest Transitive Trusts
Cross-forest transitive trusts are
essentially two-way transitive trusts that exist between two disparate
AD DS forests. Although explicit trusts between separate AD domains in
separate forests were possible in Windows 2000 Server, the cross-forest
trusts in all versions of Windows Server beyond the 2003 release allow
for two-way transitive trusts to exist between two separate forests.