Subscribe to Windows IT Pro
October 01, 1998 12:00 AM

Trust Relationships

Michael D. Reilly
Windows IT Pro
InstantDoc ID #3868
Rating: (1)
Build and use trust relationships

Last month I discussed the domain models that Windows NT networks use. I explained the need for trust relationships between domains. This month I discuss setting up trust relationships and examining their properties. I also highlight trust changes in NT 5.0. (For more information about trust relationships, see "Related Articles in Windows NT Magazine," page 213.)

Trust Relationships
A trust relationship is a communications channel, or an enabling mechanism. Trust relationships let you perform certain functions. For example, trust relationships let you assign permissions on resources in one domain to users in another domain. Trust relationships let you set up permissions so that you log on only once from anywhere in the domain structure.

A one-time logon is possible because when you log on to a computer in a remote domain, your home domain controller can validate the logon. The remote domain controller trusts your local domain controller. If your home domain controller validates your user account and password, the remote domain controller lets you log on.

Determining whether a remote computer has a trust relationship with your domain is easy. Open the computer's logon dialog box and look for your domain name. If your domain name appears in the drop-down menu, the computer is in your domain or has a trust relationship with your domain.

Properties of Trusts
To set up domain trust relationships correctly, you need to understand the properties of a trust relationship. First, trusts are only one-way. If domain A trusts domain B, domain B does not necessarily trust domain A. Second, trusts are not transitive. If domain A trusts domain B, and domain B trusts domain C, no implied trusts exist between domains A and C. Third, you must set up reciprocal trusts from both sides. However, either side can break the trust relationship.

Systems administrators often complain that trust relationships are not transitive. Many administrators want implied trusts so that they do not need to set up numerous trust relationships. But transitive trusts create security risks. For example, company A might set up a trust with supplier B to let the supplier monitor the company's inventory and automatically ship orders to replenish the inventory. In turn, supplier B might give system access to consulting company C for development purposes. Consulting company C is also consulting for company D, a rival of company A. If trust relationships were transitive, company A would automatically trust rival company D, an obvious security risk.

NT 5.0 addresses many of these concerns. Domains and organizational units (OUs) will use trust relationships based on the Kerberos security model. NT 5.0 will establish these trusts as necessary on the network, with fewer limitations than current trusts have. You can use the NT 4.0 trust model where appropriate, as in the previous example, to prevent a trust from going further than you intend.

Setting Up a Trust Relationship
Only a domain administrator can set up trust relationships. From the Start menu, select Programs, Administrative Tools, User Manager for Domains. From the Policies menu, select Trust Relationships, as Screen 1, page 212, shows. Screen 2, page 212, shows the Trust Relationships dialog box, with two windows in which you add trusted domains or trusting domains. You must set up a trust from both sides. The process goes more smoothly if the trusted domain first adds the trusting domain.

Suppose you are the Engineering administrator and you want to set up a trust so that the Production domain trusts the Engineering domain. Click Add in the Trusting Domains section of the Trust Relationships dialog box. Add Production as a trusting domain, and enter a password, as Screen 3, page 212, shows. This case-sensitive password is necessary for only initial communication between the domains. The system changes the password after the initial communication. The Production domain administrator must then add Engineering as a trusted domain, as Screen 4 shows. If you entered a password when you added the Production domain, the Production administrator must enter that password to add Engineering as a trusted domain. If you set up the trust correctly, the Production administrator gets a confirmation window, which Screen 5 shows.

Related Content:

ARTICLE TOOLS

Comments
Add A Comment
  • Anonymous User
    7 years ago
    Jun 08, 2005

    thanks for the article, im confused though...
    i have a windows 2000 pro workstation and i want it to join the network i have (a nt 4.0 server)
    the win2kpro will join as a workgroup, but not as a domain member. i get an error that i dont have a trust relationship with the server (on the win2k side)
    do i have to set up a domain name on the windows 2000 computer? as well as a controller too? i dont get the part about domain names.. i know the domain name for the server, but how do i figure out the domain name for the win2k system? the 2000 pro comp doesnt have "User Manager for Domains"
    i am totally lost!!

  • Niles K.V
    9 years ago
    Oct 27, 2003

    Excellent information.there are some page numbers available in this artcle, where do i find the book?

  • John Walsh
    9 years ago
    Oct 24, 2003

    Extremely well written in easy to follow steps and concise enough to inform the user without compromising the information. I will use this site as a first resort before any others.

You must log on before posting a comment.

Are you a new visitor? Register Here

advertisement

advertisement

Dev Pro Left-Brain SharePoint Pro SQL Server Pro SuperSite for Windows Windows IT Pro

© 2012 Penton Media, Inc.

Home About Us Advertise Customer Service Privacy Statement Subscribe/Renew Terms Of Use

Windows is a trademark of the Microsoft group of companies. Windows IT Pro is used by Penton Media Inc. under license from owner.