Best Practices for Trusts
Creating trusts enables the use of resources across domains and forests. Use the following best practices when considering the creation of trust relationships: Create shortcut trusts when long trust paths must be frequently used to access resources in other domains within the forest. Create trusts with external domains only when there is a need to access resources between forests. Create one-way trust relationships if that will fulfill the requirement. Do not make every trust a two-way trust. Create a forest trust only if many domain trust relationships between domains in the different forests are necessary. If only a few trust relationships are necessary, it may be better to create separate external trusts. Use selective authentication to limit access to resources in a domain across a trust. If the reason for the trust is to provide access to only a few of the resources in the specified domain, require selective authentication and provide the ability to authenticate to those groups from the other domain on only those resource servers required. Use selective authentication to limit access to domains in a forest trust. Depending on the need for resource access, use external trusts with or without selective authentication, or use forests trusts with or without selective authentication. Trusts without selective authentication offer the most access, while forest trusts with selective authentication offer the least. Use SID filtering with external and forest trusts. (SID filtering is enabled in Windows Server 2003 trusts by default.)
|