Understanding Trust Transitivity

Jan De Clercq

September 11, 2006

4 Min Read
ITPro Today logo in a gray background | ITPro Today

Q: What is the meaning of trust transitivity in the context of trust relationships that are defined between Windows Active Directory (AD) domains? Are trust relationships defined between domains that are located in different AD forests also transitive?

A: Before we define trust transitivity let's make sure we're on the same line regarding the meaning of the trust concept in the context of AD domains. Trust relationships define an administrative and security link between two Windows domains or forests. They enable a user to access resources that are located in a domain or forest that’s different from the user’s proper domain or forest.

When a trust relationship is set up between two domains, there’s always a trusted and a trusting domain. The trusting domain is the one that initiates the setup of a trust relationship. The trusted domain is the subject of the trust definition. These concepts are illustrated in Figure 1: If domain compaq.com sets up a trust with the hp.com domain--in which case hp.com is the trusted domain and compaq.com the trusting domain--all accounts defined in hp.com will be trusted. This means that you can use all hp.com accounts and groups to set access control settings on resources in the compaq.com domain. This is typically done by adding them to existing domain local groups or server local groups, which grant the actual permissions on resources in the compaq.com domain.

When a trust relationship is transitive, the trust extends beyond the directly trusted and the trusting domain to any other transitively trusted domain. For example if both the europe.hp.com and us.hp.com domains trust the hp.com domain, then--thanks to trust transitivity--the europe.hp.com domain implicitly trusts the us.hp.com domain. Transitive trust reduces the number of trusts that are needed for authentication interoperability between different domains. In Figure 2, only three trusts are needed (between each parent and child domain in the same AD forest) to obtain authentication interoperability between all four domains. In a Windows NT 4.0 setup, you'd have needed six trust relationships to do the same thing.

Users working from Windows 2000 Server or later workstations can see the effect of transitive trusts when they log on. They can choose every domain with which their domain has a direct trust or an indirect trust (through trust transitivity). An NT 4.0 end user sees only the direct trusts of his or her domain.

In Win2K, different AD forests could be linked only using an external trust relationship. External relationships are always nontransitive. Windows Server 2003, however, includes a new trust type called "Forest Trust" that allows creating a transitive trust between all domains of two forests using a single trust relationship. An important requirement to creating Windows 2003 forest trust is that both forests need to be in Windows 2003 functional level 2. This forest functional level is available only if all domains are at functional level 2. The latter is only possible if all the DCs in a domain are running Windows 2003.

Thanks to the transitivity of forest trust relationships, it's enough to have a single trust between the two root domains of two different forests to enable inter-forest authentication between all domains in the two forests. Figure 3 illustrates this for Domain C in the Compaq.com forest. Because of the transitive forest trust between Compaq.com and Hp.com, domain C will automatically have a transitive trust relationship with domains D, E, and F in the HP.com forest (the same is true for the other domains).

Transitive trusts greatly simplify forest trust administration and provide transparent single sign-on (SSO) between all domains in two multidomain forests. In Win2K, the same level of functionality required the definition of a trust relationship between every other domain in the two forests. Transitive forest trusts don't allow transparent object browsing (e.g., when setting access control settings) between all domains in the two forests; this is only possible between the root domains of the two forests. However, you can search by name for objects of the other domains in the forest.

Forest trusts are not transitive between multiple forests (as Figure 4 shows for the Digital.com, Compaq.com and Hp.com forests). If forest trusts exist between the Digital.com and the Compaq.com forest and between the Compaq.com and the Hp.com forest, then there won’t automatically be a transitive trust between Digital.com and Hp.com (as illustrated in the left picture of Figure 4). If a transparent SSO experience is required between the Hp.com and the Digital.com forests, an explicit forest trust relationship would be required between those two forests (as the right picture of Figure 4 illustrates).

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like