Q: What happens under the hood when I define a trust relationship between two Windows domains? What trust relationship traces can I find in Active Directory (AD)?

A: In the example in Figure 1, the domain administrator of domain South.net decides to trust a domain named North.net. In this example, South.net is the trusting domain and North.net is the trusted domain.

FIGURE 1: AD Trust Relationship details

When the administrator sets up the trust, Windows will create a Trusted Domain Object (TDO) for the North.net domain in the AD domain, naming the context of the domain South.net (this is on the outgoing side of the trust). This TDO object is a security principal, similar to a user or a computer account, that will be named after the DNS domain name of the domain that the trust is being configured for (if the other domain is an NT4 domain, the NetBIOS name will be used). In this example, the TDO account in the South.net domain will be called North.net.

Just as with any other AD account, there's a password linked to a TDO object. It's stored in a hashed format in the TDO account's password attribute. This password is also referred to as the inter-domain secret. When you set up a trust relationship manually, the OS will prompt you for this password. Trusts that Windows creates implicitly as part of the AD installation process (dcpromo) are automatically assigned a random password.

When the administrator in the South.net domain or the administrator in the North.net domain creates the other side of the trust in the North.net domain (the incoming side), another TDO account called South.net will be created in the AD domain naming context of domain North.net.

You can look at the TDO account objects using the AD Users and Computers (ADUC) MMC snap-in or using ADSIedit. The TDOs are located in the domain naming context's "system" container.

The South.net TDO account is replicated between the DCs in the North.net domain using the normal AD replication of the domain naming context. The same is true for the North.net TDO account in the South.net domain. The TDOs and some of their attributes are also replicated to the global catalog (GC). This makes them available to all entities in a Windows forest. The latter enables the routing of cross-domain and cross-forest authentication requests and cross-domain and cross-forest object browsing.

TDOs and their passwords (the inter-domain secrets) are used for the setup of secure channels between the DCs of different domains. Secure channels ensure that authentication traffic is securely transported between trusting and trusted domains.