لطفا منتظر باشید ...
Publisher| TrustsConcepts |
resources in other domains. Active Directory supports several kinds
of trusts, as described in the following sections.
Transitive Trust
Two-way transitive trusts are
automatically created when new child
domains are added to an existing tree or when a new root domain is
added to an existing forest to form a new tree.
Transitive means that downstream trusted domains
can be trusted over the trustfor example, if A trusts B and B
trusts C, then A trusts C if all trusts are transitive. Transitive
trusts require no maintenance or configuration and allow users to be
authenticated by domain controllers in any domain in the forest.
Transitive trusts operate using the Kerberos v5 authentication
protocol.
External Trust
Also called a one-way trust,
this type of trust is unidirectional
and nontransitive (similar to NT) and must be explicitly created
using the Active Directory Domains and Trusts console. In an external
trust, the trusting domain trusts the trusted domain, and users in
the trusted domain can access resources in the trusting domain,
provided they have suitable permissions assigned for the resources
they are trying to access. You can explicitly establish an external
trust between a WS2003 domain and another WS2003 domain, a W2K
domain, or an NT domain. You can also create a nontransitive two-way
trust by creating two one-way trusts in opposite directions between
two domains.External trusts are typically used:
- To establish an explicit trust between a WS2003 or W2K domain and a
legacy NT domain - To establish an explicit trust between two WS2003 or W2K domains in
different forests
Cross-Link Trust
Also called shortcut trusts,
these are simply external trusts created
to shorten the trust path between two domains in a forest when the
users in one or both of these domains frequently need to access the
resources in the other domain. By creating a shortcut trust between
two domains in a forest, the Kerberos authentication process by which
users are granted access to resources in different domains is
considerably shortened in terms of the number of domains it must
traverse, reducing authentication traffic and speeding up the
interdomain authentication process for users.
Forest Trust
New to WS2003 is the forest
trust (also called cross-forest trust),
which is available only for forests that are configured at the WS2003
forest functional level. Forest trusts allow users in one forest to
access resources in another forest using either Kerberos or NTLM
authentication. Forest trusts are transitive trusts that can be
created manually between the forest root domains of two forests and
add additional flexibility to planning an Active Directory
implementation by providing enterprises with more options for
upgrading their NT or W2K domains to WS2003.Forest trusts are external trusts created between the forest root
domains of two forests. Note that forest trusts work only between two
forestsin other words, if a forest trust between forests A and
B is created and then one is created between forests B and C, there
is no implicit forest trust between forest A and C. In other words,
the transitivity of forest trusts is valid only within the two
forests connected by the trust.
