Applies To: Windows Server 2008
Trusts
A trust is a relationship, which you establish between domains, that makes it possible for users in one ___domain to be authenticated by a ___domain controller in the other ___domain.
Trusts in Windows NT
In the Windows NT 4.0 operating system, trusts are limited to two domains, and the trust relationship is nontransitive and one-way. In the following illustration, the nontransitive, one-way trust is shown by the straight arrow pointing to the trusted ___domain.
.gif)
Trusts in Windows 2000 Server, Windows Server 2003, and Windows Server 2008 operating systems
All trusts in Windows 2000 Server, Windows Server 2003, and Windows Server 2008 forests are transitive, two-way trusts. Therefore, both domains in a trust relationship are trusted. As shown in the following illustration, this means that if Domain A trusts Domain B and Domain B trusts Domain C, users from Domain C can access resources in Domain A (when they are assigned the proper permissions). Only members of the Domain Admins group can manage trust relationships.
.gif)
Trust protocols
A ___domain controller running Windows Server 2008 authenticates users and applications using one of two protocols: the Kerberos version 5 (V5) protocol or NTLM. The Kerberos V5 protocol is the default protocol for computers running Windows 2000, Windows XP Professional, Windows Server 2003, or Windows Server 2008. If any computer in a transaction does not support the Kerberos V5 protocol, the NTLM protocol is used.
With the Kerberos V5 protocol, the client requests a ticket from a ___domain controller in its account ___domain to the server in the trusting ___domain. This ticket is issued by an intermediary that is trusted by the client and the server. The client presents this trusted ticket to the server in the trusting ___domain for authentication. For more information, see Kerberos V5 authentication (https://go.microsoft.com/fwlink/?LinkId=81795).
When a client tries to access resources on a server in another ___domain using NTLM authentication, the server that contains the resource must contact a ___domain controller in the client account ___domain to verify the account credentials.
Trusted ___domain objects
Trusted ___domain objects (TDOs) are objects that represent each trust relationship within a particular ___domain. Each time that a trust is established, a unique TDO is created and stored in its ___domain (in the System container). Attributes such as trust transitivity, type, and the reciprocal ___domain names are represented in the TDO.
Forest trust TDOs store additional attributes to identify all the trusted namespaces from its partner forest. These attributes include ___domain tree names, user principal name (UPN) suffixes, service principal name (SPN) suffixes, and security identifier (SID) namespaces.
For more information about ___domain trusts, see Trust Technologies (https://go.microsoft.com/fwlink/?LinkId=92695). For more information about trust relationships, see Designing a Resource Authorization Strategy (https://go.microsoft.com/fwlink/?LinkId=92696).