Understanding transitive trusts in Visual Studio .NET

Printing ANSI/AIM Code 128 in Visual Studio .NET Understanding transitive trusts
Understanding transitive trusts
Code128 Reader In Visual Studio .NET
Using Barcode Control SDK for .NET Control to generate, create, read, scan barcode image in .NET framework applications.
In 1, I mentioned that Windows 2000 leaves the legacy of ridiculously confusing domain trust relationships behind with the implementation of Kerberos transitive trusts. Kerberos is the security protocol in Windows 2000, replacing Windows NT LAN Manager (NTLM), and Kerberos trusts are a tremendous improvement over the manual trust options in Windows NT. Kerberos trusts are two-way transitive trust relationships that are automatically created and configured by the Active Directory within a forest. The beauty of Kerberos trusts is they work well, and you, as the administrator, do not have to do anything to configure them (which is always a plus).
ANSI/AIM Code 128 Encoder In Visual Studio .NET
Using Barcode creator for .NET Control to generate, create Code 128B image in Visual Studio .NET applications.
Note
Recognizing Code 128C In .NET
Using Barcode decoder for .NET Control to read, scan read, scan image in VS .NET applications.
NTLM is still supported in Windows 2000 for backward compatibility, but Kerberos is the primary and preferred security protocol.
Barcode Encoder In .NET Framework
Using Barcode generator for Visual Studio .NET Control to generate, create bar code image in VS .NET applications.
As I said, Kerberos trusts are always transitive. That is, if Domain A trusts Domain B, then Domain B automatically trusts Domain A; or if Domain A trusts Domain B and Domain B trusts Domain C, then Domain A transitively trusts Domain C. Kerberos trusts are shown in Figure 3-7.
Reading Bar Code In VS .NET
Using Barcode decoder for VS .NET Control to read, scan read, scan image in Visual Studio .NET applications.
Part I Planning an Active Directory Deployment
Create USS Code 128 In C#.NET
Using Barcode printer for VS .NET Control to generate, create Code128 image in VS .NET applications.
A and B Kerberos trust
Code 128 Drawer In VS .NET
Using Barcode encoder for ASP.NET Control to generate, create Code 128C image in ASP.NET applications.
A and C transitively trust each other
Code 128 Code Set C Creation In VB.NET
Using Barcode creator for .NET framework Control to generate, create Code 128 Code Set A image in VS .NET applications.
B and C Kerberos trust
EAN / UCC - 13 Drawer In .NET
Using Barcode generation for .NET Control to generate, create EAN13 image in VS .NET applications.
Figure 3-7: Kerberos transitive trust
Drawing Data Matrix ECC200 In Visual Studio .NET
Using Barcode drawer for Visual Studio .NET Control to generate, create Data Matrix ECC200 image in Visual Studio .NET applications.
The great thing about transitive trust relationships is that they reduce the number of relationships that must be established and maintained by the Active Directory. Due to the transitive nature of the Kerberos trusts, a domain needs to trust only one other domain to actually have access to all other domains in the forest. This is also true with multiple domain tree forests. When multiple forests are created, transitive trusts are automatically configured between the forest roots. For example, consider Figure 3-8.
Barcode Creation In .NET Framework
Using Barcode creation for .NET Control to generate, create bar code image in .NET framework applications.
3 Planning an Active Directory Structure
Intelligent Mail Maker In Visual Studio .NET
Using Barcode printer for .NET Control to generate, create OneCode image in Visual Studio .NET applications.
Triton Forest
Making Bar Code In Visual C#.NET
Using Barcode generator for Visual Studio .NET Control to generate, create bar code image in VS .NET applications.
triton.com
Barcode Encoder In Visual Basic .NET
Using Barcode encoder for .NET framework Control to generate, create barcode image in Visual Studio .NET applications.
actondev.com
GS1 - 12 Printer In Java
Using Barcode creator for Java Control to generate, create UPC Code image in Java applications.
production. triton.com
Painting Barcode In Java
Using Barcode creation for Java Control to generate, create barcode image in Java applications.
prod. actondev.com
Drawing EAN / UCC - 13 In VB.NET
Using Barcode encoder for Visual Studio .NET Control to generate, create EAN / UCC - 13 image in .NET framework applications.
dev. actondev.com
Code39 Maker In C#.NET
Using Barcode creator for .NET framework Control to generate, create USS Code 39 image in .NET applications.
namerica. production. triton.com
ANSI/AIM Code 39 Creator In VB.NET
Using Barcode drawer for .NET framework Control to generate, create Code39 image in Visual Studio .NET applications.
samerica. production. triton.com
USS-128 Creator In VB.NET
Using Barcode encoder for Visual Studio .NET Control to generate, create UCC-128 image in VS .NET applications.
* All double arrows represent a two-way direct Kerberos trust.
Figure 3-8: Transitive trusts
Suppose, for example, that a user in namerica.production.triton.com needs to access a resource in prod.actondev.com. There is no direct trust relationship between the two domains, but the user, assuming he or she has appropriate permissions for the resource, will still be able to transitively access the resource. This is all because namerica.production.triton.com transitively trusts triton.com through production. triton.com and triton.com transitively trusts prod.actondev.com through actondev. com, as you can see in Figure 3-9.
Part I Planning an Active Directory Deployment
Triton Forest
triton.com
actondev.com
transitive transitive production. triton.com prod. actondev.com dev. actondev.com
namerica. production. triton.com
samerica. production. triton.com
Figure 3-9: Access through transitive trusts
Consider one more example. A user in dev.actondev.com needs to access a resource in production.triton.com. There is no direct trust relationship between these two domains, but the user, with appropriate permissions, can still access the resource through the transitive trust. Dev.actondev.com transitively trusts triton.com through actondev.com. Since triton.com directly trusts production.triton.com, the resource can be accessed, as shown in Figure 3-10. As you can see, any scenario I generate comes back to the same truth if a domain in a tree trusts a domain in another tree, it can reach any domain in the forest through the transitive nature of Kerberos trusts.
3 Planning an Active Directory Structure
Triton Forest
triton.com
actondev.com
transitive
production. triton.com
prod. actondev.com
dev. actondev.com
namerica. production. triton.com
samerica. production. triton.com
Figure 3-10: Access through transitive trust
As I mentioned earlier in this section, you do not have to manually create any Kerberos trusts in an Active Directory forest because they are automatically created with each new domain you install. However, you may need to connect some of your Windows 2000 domains to existing Windows NT domains. Windows NT does not support Kerberos, so you cannot configure transitive trusts between the two. You can, however, configure one-way trust relationships as necessary. The Active Directory still supports one-way trusts for backward compatibility purposes with NT style domains. You cannot create one-way trusts between Windows 2000 domains within a forest (and would never want to anyway), but this backward compatibility is provided to help you during transition to a total Windows 2000 network. You can use the Active Directory Domains and Trusts tool to manually configure one-way trusts as necessary.
Part I Planning an Active Directory Deployment
CrossReference
See 8 to learn more about configuring domain trusts and sites.
There is one other type of trust relationship you may find useful in an Active Directory forest the cross-link trust relationship. In complex Active Directory forests with several domains and more than one domain tree, you can create crosslink, or shortcut, trusts to speed resource access. Return to the example in Figure 3-9. Namerica.production.triton.com needs to access resources on a regular basis in the prod.actiondev.com domain due to a new project the two groups are jointly working on. Users can access resources in each other s domain due to the transitive trust, but you can improve network performance by manually creating a transitive cross-link trust between the two domains. This cross-link trust enables the two domains to bypass the transitive trust and communicate with each other on a oneon-one basis. This configuration can be helpful in large, complex environments where users in one domain must access resources frequently in another domain for which there is no direct trust relationship.