MCITP 70-640: Active Directory Trusts

MCITP 70-640: Active Directory Trusts

Welcome to the Active Directory Trusts video,
one part of the free Active Directory course. When you have one domain and one forest, looking
after Active Directory is quite easy. In fact, if you can stay with one domain and one forest,
then you should do that. In the real world this may not occur.
Imagine this: your company already has two large business units that work independently
of each other. They have their own domain and child domains and own namespace. The company
buys another company which has its own forest and its own child domains. Your company expands
and with it, multiple new domains are created. Some of these new domains have child domains
of their own. In order to meet the needs of the business, users in any domain must be
able to access resources in any other domain. Remember that each Domain effectively has
its own copy of the Active Directory database. Each domain essentially runs by itself. So
what happens when a user wants to access a resource in another domain?
To make administration easy, Active Directory automatically creates a two way trust relationship
between parent and child domains. This trust relationship is called a transitive trust.
A transitive trust simply means I trust you and any other domains that you decide to trust
or, to a quote a familiar saying, “Any friend of yours is a friend of mine”.
To understand transitive trusts better, let’s remove all the trusts and rebuild the relationships
with non-transitive trusts. The parent domain wants to trust its child domains, so we would
create two way trusts like this. Now imagine that one of the child domains
has two child domains of its own. In order for its children to trust the child domain,
two trust relationships need to be created, so let’s create two more two way non-transitive
trusts. Now the root domain wants to access the two new domains so two more trusts need
to created. In order for the child domains to trust each
other, two horizontal trusts need to be created like this. Lastly, the two new child domains
need to be connected to the other child domain like this.
This is a total of 10 trusts for 5 domains. I have only done a small part of the diagram
but imagine I did the whole lot. In order to ensure everyone has access to each domain
you would need to create 66 trusts for the 12 domains shown.
This is why non-transitive trusts do not scale well. They are great in that you can
choose which domain accesses which domains, but on any decent sized network, managing
these trusts soon becomes very difficult. Let’s go back to transitive trusts. Every
child domain is connected to its parent domain. If the parent wants to access a resource in
the bottom domain, it will go through the transitive trust of the child domain. The
child domain will then pass the request through its trust relationship to its child domain.
That’s what a transitive trust is. It allows a trust to be extended outside the domain
to which it is directly connected. Let’s look at a different example. Say this
domain wants to access this domain. It would go up to its parent. Its parent would pass
the request to the root domain. The root domain would pass the request via a transitive trust
automatically created between the trees in the forest. This trust is called a tree trust.
It is essentially the same as a parent child trust and is created automatically by Active
Directory. Once the request passes over the tree root
trust, it would finally be passed down by this domain to its child. In order to get
to its destination, the request had to go over 4 transitive trusts, all of which were
created automatically. You are probably thinking this is great: I
can share anything I want with anyone in the forest and as long as I give them permissions
to access the resource, Active Directory will do the rest. This is true, but could there
be delays going over 4 transitive trusts to get to your destination even if it is done
automatically? In the real world, most of the time the parent
and child domains will do most of the sharing between each other, but sometimes you may
have two domains that are quite a distance from each other in the hierarchy but communicate
with each other a lot. When this occurs you can create what is called
a shortcut trust. A shortcut trust provides a direct trust relationship between the two
domains, saving them from having to go through the whole hierarchy. I think you will agree
that creating an occasional shortcut trust where it is needed is a lot better than creating
trusts between all the domains in the forest. In this particular case we also have another
company that has its own forest. Perhaps they are owned by the same company but they want
to keep their own domains and forest separate. When this occurs, you can create what is called
a forest trust. In order to create a forest trust you must
be running at least Windows Server 2003 or higher forest functional level. Forest trusts
are not created by default and must be manually created by an administrator. Once created,
any domain in either forest will be able to access resources in any other domain, assuming
that they have access. Just like parent child trusts, forest trusts are transitive. In some cases you may need to create a trust
relationship between Active Directory and a non Active Directory system. Assuming both
systems use Kerberos you can create what is called a realm trust. These are created manually
and can be either transitive or non-transitive, one way or two way.
The last trust you may come across is an external trust. An external trust is generally used
to connect to a Windows NT 4 domain. These trusts need to be created manually and are
non-transitive. They are also one way only but you can make them two way by simply creating
two trust relationships, one going in each direction.
This covers all the different trusts in Active Directory. In most cases you can see a trust
relationship will be created for you automatically. The trust relationship is in both directions
and is transitive so new domains and child domains will automatically have access to
each other. All the hard work is done for you.
Two way trusts are easy to understand and use. Resources are shared both ways. In some
cases you may have to deal with a one way trust. Let’s look at an easy way to understand
the terminology when dealing with a one way trust.
Let’s say you have domain A with a share in it. You have a user in domain B called
John. The question is, does domain A trust John? In order for a user to access a resource
in anther domain, the other domain must trust that user. So that question is does Domain
A trust John? You are told that domain A trusts domain B.
Since John is in domain B he can access resources in Domain A. This of course assumes that John
has access to these resources. The trust relationship only creates the path for a user to access
a resource it does not grant them permissions. If a user Jane was in Domain A, she would
not be able to access resources in Doman B. In order for this to occur, Doman B needs
to trust domain A. If you get confused draw an arrow between the two domains with the
direction of the trust. In order for the user to access the other domain the arrow must
point towards the user. Now that we understand how trusts work, I
will change to my Windows Server to demonstrate how to create trusts.
To view the current trusts or make changes, open Active Directory Domains and Trusts from
Administrative Tools under the start menu. As I expand down through the domains, notice
that I have the east and west domain under my root domain and the sales domain under
the east domain. All these domains are linked together via transitive trusts automatically
created when the domains were created. If I select the root domain and then right
click and select properties, I can then select the trusts tab to view the trusts that are
currently set up. Currently there are trusts in both directions set up between this domain
and the child domains. The sales domain will not be shown since that trust relationship
is between the east and sales domains. To create a new trust, select the option at
the bottom, “new trust.” Once you are past the welcome screen, enter in the domain,
forest or Kerberos Realm for which you want to set up the trust. It is important that
your DNS can resolve the other end before you perform this setup. In this case I will
create a forest trust between the ITFreeTraining domain and the HighCostTraining domain. At
present, both domains are in the root domain of their own forest.
Windows will find and detect that the other side is another forest. You could choose the
first option, “external trust,” which will create a trust between the two domains.
This in a non-transitive trust so only the two domains selected will be able to use the
trust. This is also the trust you would need to use for NT 4 domains.
In this case I want to select the second option, “forest trust.” This will allow any domains
in either forest to access any other domain in the other forest.
On the next screen you can select which direction the trust will go or the default option two
ways. In this case both forests will be sharing resources with each other so I will accept
the default option of two ways. The next screen gives you the option to create
the trust in this domain or both domains. In a lot of cases you won’t have an account
in the other forest. This is especially the case if the other forest is another company.
If you do not have access, select the option “this domain only.” In order for the trust
to work, the other company will have to perform the same procedure in their Active Directory
environment as I have just done. The next screen allows you to determine how
the default authentication will work. In order for a user to gain access to a resource in
another domain, they need to be given permission to that resource. Having said this, there
are plenty of resources in a domain that everyone can access without permissions being set for
that user. For example, authentication from a domain controller or access a share with
permissions set to everyone. If the company is trusted, select the first option, “forest
wide authentication.” The user will still need to be given access to resources but will
be able to access any resource that is available to everyone and authenticate off Domain Controllers
in the forest. In some cases you may create a forest trust
between your company and another company. In this case you may want to be very careful
about what you give them access to. In this case you would select “selective authentication.”
This option will only allow them access to servers that you decide they can access. This
includes Domain Controllers. Using this option you can select which Domain Controllers that
they can access just for authentication. This gives you more security but takes a little
bit more work to set up. In this case I will select the option “selective
authentication” to show you how to configure. On the next screen you need to enter in
a password for the trust. This password will need to be entered in on the other side using
the same wizard as here. When the two forests connect up for the first time, this password
is used to ensure that both servers are talking to the correct party.
The next screen will confirm that a forest trust is about to be created. Once I press
next I will be informed the forest trust was created.
The next screen will ask if you want to confirm the outgoing trust. So far the trust has been
created but this step will confirm that the trust is working with the password I entered.
Before you can perform this step you need to ensure that an Administrator in the other
forest has completed this wizard and thus created their side of the trust.
On the next screen the incoming trust can also be confirmed. In this case you will be
required to use a username and password from the other forest. In a lot of cases you
may not have this, especially if you are connecting to another company.
The wizard is now complete and the forest trust has been setup. The trust will appear
in the outgoing and incoming trusts with the transitive trusts that have already been automatically
created. Since I used selective authentication in the
forest trust, I will now open Active Directory Users and Computers and give the administrator
in the HighCostTraining Domain access to authenticate from my Domain Controller.
By default the option that I am after will not appear. In order to get it to appear,
open “view and select advanced features.” This will show a lot of options that are normally
hidden. From here I will open the Domain Controllers OU and open the properties for my domain controller.
To give access, select the security tab and then press the button add. Since the forest
trust has been added, I can now enter in the administrator from the high cost training
domain and Windows will find the user without a problem and they will be added to permissions
listed for this Domain Controller. Once added, I need to tick the box “allowed
to authenticate.” Steps like these will need to be performed on every server that
they need to access. This is more work, but does prevent users from accessing other resources
on the network unless you specify that they can.
That’s it for forest trusts. I will now go back to Active Directory Domain and Trusts
and demonstrate how to create a shortcut trust. In this case I will create the shortcut trust
between the sales domain and the west domain. In order to do this, first open the properties
for the sales domain. Like the forest trust, press “new trust”
to start the wizard. In this case I will enter in the domain name of West.ITFreeTraining.Local.
Windows will detect that this is another domain in the forest and ask me straight away if
I want to make this trust one way or two. I will accept the option two way and move
on. The next screen asks if I want to create the trust in this domain or both domains.
Since I have a username and password for the other domain with enough permissions, I will
select the option “both” so that both directions of the trust get created at once.
Next I will be asked for a username and password in the other domain. Like the forest trust,
if you did not have a username and password for the domain, an Administrator on the other
domain would have to run this wizard as well and create the trust on their side using a
shared password. On the next screen notice that Windows has
detected that this will be a shortcut trust. In a lot of cases Windows will auto detect
the trust that you are trying to create. The next screen will ask if I want to confirm
the outgoing trust. In this case I will need to ensure that it was created and working
properly. I will also get the same option for the incoming trust which I will also confirm.
Once I complete the wizard, notice that the new shortcut trust has been created in both
the incoming and outgoing sections. That’s it for creating trusts.
There is one last point I need to cover that is in the exam objectives for Trusts and that
is Sid filtering. To consider how Sid filtering works you first need to understand Sid history.
To understand Sid History consider this example where Sid History would come into play.
Consider that you have two domains. The decision is made to migrate the users from one domain
to the other. In order for this to occur, new users are created in one domain with the
same user names as the other domain. The problem occurs because these new users will have a
different security identifier or Sid. Since they are new users with new Sids, they
will not have access to any of the resources that they used to have. This is where Sid
history comes into play. When migrations like this are performed, the new user account has
an area called Sid history which can store all that users’ previous Sids. When they
access a resource, Windows can look at the Sid history and work out that they are the
same user even though the primary Sid used with the user account has changed.
What does all this have to do with trusts? With trusts you need to understand that by
default Sid filtering is enabled and this will affect Sid history. When a user attempts
to travel over a trust to access a resource, Windows will filter out all the Sid history
for that user that does not match the domains of the trusts the user came over. This means
any legacy Sid’s will be removed as soon as the user travels over a trust to gain access
to a resource. This means the user will be denied access to a resource if it was assigned
under an old domain name. This is done to strengthen security. Even
though it is not as easy as it may sound, an administrator could access the Sid history
for a user and create any Sid that they wanted. Using that user they could then access resources
in another domain. This is why Microsoft has enabled Sid filtering over all trusts by default.
For the exam, you simply need to know that all trusts have Sid filtering enabled and
that Sid Filtering removes any Sid from Sids history for old domains.
Well, that is everything that you need to know about Windows Trusts. In the next video
I will look at sites. Sites allow you to divide Active Directory so it matches your physical
network topology. I hope you have enjoyed this free video. Thanks for watching.

Daniel Ostrander

Related Posts

73 thoughts on “MCITP 70-640: Active Directory Trusts

  1. Sai dhanpal says:

    Amazing videos….kudos to ur effort !!

  2. Kamal Singh says:

    always waiting for new uploads………excellent job…thanks a lot for sharing

  3. itfreetraining says:

    Thanks. More videos to come

  4. itfreetraining says:

    Thanks for taking the time to leave a comment. More videos being released very soon.

  5. aden2013 says:

    Thanks a million for the videos, you have a place reserved for you in heaven 😉

  6. itfreetraining says:


  7. Frank Hayden says:

    I'm taking MCITP courses at college. Your videos are awesome and make things simple to understand. Thanks…your awesome!

  8. itfreetraining says:

    Thanks for comment. Good luck in your course.

  9. Ajay Sharma says:

    please explain non transitive trusts

  10. itfreetraining says:

    Imagine you had A trusts B, B trusts C, C trusts D, D trusts E. If Transitive trusts were used all domains would trust all other domains. For example Domain A would automatically trusts domain E. If non transitive trusts were used each domain only trusts the domain it is directly connected to. Domain A would trust only Domain B. Domain C would trust Domain B and Domain D because it is directly connected. AD using transitive trusts by default so all domains can access each other by default.

  11. Santosh Nibde says:

    Your videos are simple and easy to understand. Thanks for such great videos.

  12. itfreetraining says:

    Thanks. Glad to hear.

  13. skelomania666 says:

    hi, know this is a all about microsoft, but i would like to know where can i learn linux. Do itfreetraining offers linux courses too?? As i desperately need to get the hang out of it by next year. So even if your not in linux plz channel me somewhere else.
    thank you very much.

  14. itfreetraining says:

    We would like to do some videos on Linux but resources don't allow us at present.

  15. skelomania666 says:

    Thank you so much for answering me, i'm really sad that you lack the required resources but can you plz tell me a website or a link on youtube where to get in depth courses. Thank you again, i mean it.

  16. Orkhan Mammadov says:

    Nice. great JOb MAn

  17. Adel ALnassar says:

    thanks for all your videos, i'm watching them one by one, i'm not very good in english but i can understand every word you say 🙂
    thanks again for every single minute you spent in making these videos.

  18. itfreetraining says:

    Thanks. Each video also has sub titles which can be used with Google translate, this may make the videos easier for you to understand.

  19. iSimx says:

    I'm currently learning Windows Server and these video tutorials are absolutely fantastic. Thanks for making them! Makes it really easy to understand.

  20. itfreetraining says:

    Excellent. It is good to hear that you like the videos.

  21. TheUltimateRed says:

    very very communicative!
    thank you a lot 😉
    I saw the other videos, they are all the same good. well done!

  22. itfreetraining says:

    Thanks very much and thanks for watching.

  23. gr8vmfan says:

    Great video! Do you have a video that explains how to have the DNS resolve two .local domains, so that the trust wizard detects that I'm trying to do a forest trust? Thanks.

  24. itfreetraining says:

    We have a few videos on DNS. Basically as long as the Domain Controller can resolve anther Domain Controller in the other forest it will work. To do this, you would most likely use a stub zone. If you have access to the other DNS server in the second forest, you could also create a secondary zone on your DNS server.

  25. Francesco Colli says:

    I have a question: so, basically if you migrate users from a domain to another, you cannot use trust anymore, unless you are ad admin?.
    Thank you so much.

  26. itfreetraining says:

    Trusts basically provides a pathway or communication channel if you will between different domains and forests. Any user can use the trust to access anther domain. Weather the user can access resources in the other domain depends on the permissions that user has.

    When you migrate a user from one domain to anther you are deleting the old user and creating a copy in the new domain. If the user can't access something in the old domain they need to have the permissions changed so they can.

  27. yaro137 says:

    What I don't understand is this, you add highcosttraining.local in Domains and Trusts but how do you get your itfreetraining.local to communicate with the other forest in the first place?

  28. itfreetraining says:

    I think that you are referring to a transitive trust. A Transitive trust is like a road. If you had two islands and build a bridge between them, a car could drive between the islands and also to any destination on either island. When a forest trust is created between two forest, the forest trust in transitive and thus allows access from any domain in either forest to any other domain in the other forest.

  29. itfreetraining says:

    Unless you are referring to how does it find the other forest. In that case you need to configure your DNS so it can resolve the other forest. For example, create a stub zone, use conditional forwarding or a second zone if you have access to their dns.

  30. yaro137 says:

    Would this mean if the other forest trusts yet another forest our first forest will trust it as well?

  31. itfreetraining says:

    I think you mean if forest A trusts forest B and Forest B trusts forest C would forest A trust forest C? The answer is no. Forest trusts allow access to any other domain in the other forest, but does not grant access to other forest if indirectly connected. Forest need to be directly connected in order to trust each other.

  32. yaro137 says:

    Thanks for the answer. Congratulations on excellent videos.

  33. itfreetraining says:

    Thanks very much.

  34. Vivek Mishra says:

    The Best Videos I ever watched….I been seen Train Signal and CBTS.. but your videos are the Best…Hatttss Off to you…i am just sad have interview today and why I not watched them on past

  35. itfreetraining says:

    Thanks very much. I hope that your interview when well.

  36. Steven Rix says:

    Awesome video, this is just what i needed. For an external trust, do not forget to configure your DNS as a secondary zone or conditionnal forwarder for each domain.

  37. itfreetraining says:

    Glad you like the video. You are correct, for an external trust you need to be able to resolve the other domain and DNS is a good way to do this.

  38. getsufuma812 says:

    Thanks… i learnt a lot from your video.. better than reading text … 😀

  39. itfreetraining says:

    Great, good to hear.

  40. AwelsTech says:

    just a question out of curiosity…..would it be possible for you to present a graphical view of real world setup of domain and domain controller…for example…company A, has no of dc's, member servers, clients computers, dns & dhcp server and everything that is required to run a real domain.

  41. itfreetraining says:

    I think network diagrams would help in this case. We are working on virtual lab and network diagram for the videos. I think this would help.

  42. Jeff Carter says:

    Great video.One of the best I've seen during my 18 year IT career.

  43. itfreetraining says:

    Thanks very much. Glad to hear that you liked the video so much.

  44. Anup Rai says:


  45. Prakash Venkatrao says:

    good jo sir

  46. itfreetraining says:

    Thank you.

  47. itfreetraining says:

    The DNS server needs to be configured to be able to resolve requests for the other domain. So it needs to be configured to used stub zones or conditional forwarding.

  48. itfreetraining says:

    As long as DNS is setup to resolve the other domain you will be able to add the trust. Have a look at are videos on DNS forwarding and stub zones.

  49. gourish mesta says:

    Very nice video.. In Domains and Trust I need understand that, If I takeover another company and I want to create new trust between my company and takeover company. So in that point of time for both organization servers IP address network should be same or we can have any series IP network?

    Thanks in Advance..

  50. itfreetraining says:

    I think you are referring to the the IP Addresses used in each company. Effectively these can be any IP Addressees, as long as the routers in each company can route the data effectively. If both companies use the same IP Address ranges this will not work. However, if there are address over laps, it is possible to have only certain resource available. For example, make available a domain controller and other resources on a DMZ network for the other company.

  51. Ben McDevitt says:

    is a host file change sufficient enough to get the trust working?

  52. itfreetraining says:

    Yes it is, as long as the other domain is resolvable it will work.

  53. Alex says:

    Very good and well explained the material. Keep up with the good work and many thanks for helping us understand better.

  54. itfreetraining says:

    Thanks for watching.

  55. Steven Xu says:

    Thank you so much, I like those training videos, really helped.

  56. ace apostol says:

    Just want to ask if Forest A had 192.168.10.X and Forest B had 192.168.11.X is it possible they can see each other?  Thank you so much for making informative video tutorial.. 

  57. Krishna Sharma says:

    Awesome… Real Informative vids for free.. Respect for you Kind sir !!

  58. Fernando Enrile says:

    Thank you sir! very informative, i will check out the entire video series for AD! Cheers! 🙂

  59. Elnur Taghiyev says:

    I have one question
    in video you showed how you give "allowed to authenticate" permission to a user from trusted domain to the DC in a trusting domain. But you didnt show how you actualy perform such authentication.  Does it mean you may login to workstation of trusting domain using the user of trusted domain?
    When i do that it says the computer you are signing into is protected by an authentication firewall…….

  60. Vinicius DellAglio says:

    Hi, congrats on the excellent video. I guess the external trust explanation is lacking some information: 1- it is not exclusive to use with windows nt, you can use it with any newer windows server version; 2- it also can be used when you want to have a trust between two child domains from different forests and these forests are not joined in a forest trust.

  61. Steve Lewish says:

    Many thanks to explain SID filtering.
    Very good video tutorial.

  62. Richard Brightwell says:

    Stellar training video. I don't think there is any room for improvement. Thank you!

  63. Ramesh D says:

    Thank you so much ..!! very informative.

  64. Omar Limachi Cruz says:

    Thank you.

  65. De me says:

    This channel is great!! thanks you very much itfreetraining!!!

  66. Shanmugam Rajamanickam says:

    Thanks. In your Demo Passwords entered by you are not same.

  67. plsdont says:

    BIG like

  68. stringsnare says:

    I really wish i had been watching these videos exams are so damn convoluted and some of the info written so terribly. these videos simplify everything. its too bad you dont have anything for mcsa 2012 or 2016. i hope this channel makes vids for those exams too.

  69. abhimanyu singh Shekhawat says:

    The shortcut trust was already there before Creating it..:D

  70. Rajan Mathew says:

    I appreciate your determination to your work. commented the missing things even after one year.

  71. CautionCU says:

    still relevant xD

  72. Marielle Anne Tia says:

    Thank you so much its way easier now ❤

  73. Eddy Cuevas says:

    10:03 "It is important that your DNS can resolve the other end" thank you so much! I was getting nut because I didn't have that bit of information

Leave a Reply

Your email address will not be published. Required fields are marked *