Validating domain trusts

09-Oct-2020 15:02

In order to create realm trust, users should have Enterprise Admin or Domain Admin permissions for the Windows Server 2003 domain and should have the permissions required for the non-Windows Kerberos version 5 realm.

Users would typically create realm trust to enable trust between a Windows Server 2003 domain and a MIT or Unix v5 Kerberos realm.

Forest trust is a new feature introduced with Windows Server 2003 Active Directory.

To better understand the feature, first look at how forest trust was established in the Windows NT and Windows 2000 domain structures.

Shortcut trust improves query response performance as well.

The Active Directory tool used to create shortcut trust is the Active Directory Domains and Trusts console.

This in turn increases the Administrative effort required to create and maintain the external trusts needed to enable forest trust in the Windows NT and Windows 2000 domain structures.

Users need to belong to the Enterprise Admins groups in each forest that they want to create forest trust between.

What shortcut trust essentially does is it shortens the trust path traversed for authentication requests made between domains of different trees.

Shortcut trust is typically configured in an intricate forest where users continually need to access resources of domains belonging to different trees.

The console enables users to specify selective authentication for incoming shortcut trust and outgoing shortcut trust.

What this means is that users can set authentication differently for the two forms of trust.Before any shortcut trusts can be created, users must be a member of the Enterprise Admin or Domain Admin groups in each domain in the forest.