• FAQs
• Articles
• Tutorials
• Web Tools
• Reference
• Blog
• Proxy
• Software
• Cell Phones

• Active Directory Articles
• Understanding Active Directory
• Active Directory Management Tools
• Active Directory Objects
• Active Directory replication
• Active Directory Security
• Active Directory Security Principal Accounts
• Active Directory Terminology and Concepts
• Backing Up and Restoring Active Directory
• Configuring and Troubleshooting Active Directory Replication
• Managing Active Directory Performance
• Publishing Resources in Active Directory
• Troubleshooting Active Directory availability
• What is New in Windows Server 2003 Active Directory
• Deploying Software through Group Policy
• Group Policy Terminology and Concepts
• Implementing and Managing Group Policy Objects
• Implementing Folder Redirection using Group Policy
• Planning a Group Policy
• Troubleshooting Group Policy
• Creating and Managing Domain Controllers
• Creating and Managing Forests and Domains
• Forest and Domain Functional Levels
• The Global Catalog Server
• Managing Recipient Objects Address List and Distribution and Administrative Groups
• Operations Master Roles
• Understanding Forests and Domains
• Understanding Group Types and Scopes
• Understanding Organizational Units
• Understanding Trust Relationship
• Articles Menu
• » Windows Server
• » Microsoft Networking
• » Microsoft Security
• » Active Directory
• » Microsoft IIS
• » Microsoft IPSec
• » Microsoft DNS
• » Microsoft DHCP
• » Microsoft WINS
• » Microsoft Filesystems
• » Remote Access
• » Microsoft Exchange
• » Microsoft SMS
• » Microsoft ISA Server
• » Microsoft Biztalk Server
• Main Menu
• » Networking
• » Physical Layer
• » Data Link Layer
• » Network Layer
• » Network Security
• » Wireless Networks
• » VoIP
• » Telephony
• » Mobile Telephony
• » Electronics
• » Radio
• » Television
• » Cryptology
• » Passwords
• » Smart Cards
• » Privacy
• » Malware
• » Vulnerabilities
• » Unix
• » Macintosh
• » Microsoft Windows
• » The Web
• » Web Publishing
• » E-mail
• » Instant Messaging
• » Databases
• » Computer Hardware
• » CPU's
• » Memory
• » Storage
• » Video
• » Audio
• » Multimedia
• » Satellite
• » Java
• » IT Management
• » Science
• » Miscellaneous

Understanding Trust Relationships

What are trust relationships

In the Windows NT domain model, domains had to be bound together through trust relationships, simply because the SAM databases used in those domains could not be joined. What this meant was that where a domain trusted another Windows NT domain, the members of the domain could access network resources located in the other domain. Defining trust relationships between domains eliminates the need for an Administrator to configure user accounts in multiple domains.

In a trust relationship, the two domains are referred to as the trusting domain and the trusted domain. The trusted domain is the domain where the trust relationship is created. The trusting domain is the other domain specified in the trust, that is, the one wherein network resources can to be accessed. The trusting domain in this case recognizes the logon authentications of the trusted domain. The logon trust relationship is supported by the NT LanMan Challenge Response. This allows pass-through authentication of users from the trusted domain. One of the shortfalls of Windows NT trust relationships is that trusts between domains were one-way and nontransitive. This meant that the defined trust relationship ended with the two domains between which the particular trust was created. The rights implicit in the trust relationship also flowed only in one single direction. Because of this, defining and managing trust relationships in the Windows NT domain structure was a cumbersome and labour intensive task. The Windows NT domain worked well in small enterprises where one domain typically existed in the enterprise. In those larger enterprises that have multiple domains, Administrators have to define trust relationships between the domains in order for a user in one domain to access resources in another domain.

In Windows 2000 and Windows 2003, Active Directory is built on the concept of trust relationships between domains. Although the actual concept of trust relationships is not new in Windows Server 2003, there are new trust capabilities and trust types available for Windows Server 2003 Active Directory domains.

In Windows Server 2003, authentication of users or applications occurs through the use of one of the following trust protocols:

• NT LAN Manager (NTLM) protocol: This protocol is used when one of the computers in the trust relationship does not support the Kerberos version 5 protocol.
• The Kerberos version 5 protocol is the default trust protocol used when computers in trust relationships are running Windows Server 2003.

The characteristics of Windows Server 2003 trusts are outlined below:

• Trusts can be nontransitive or transitive:
• Transitive trusts: With transitive trusts, trust is applicable for each trusted domain. What this means is where Domain1 trusts Domain2, and Domain2 trusts Domain3; Domain1 would also trust Domain3.
• Nontransitive trust: The defined trust relationship ends with the two domains between which the particular trust is created.
• Trusts can be one-way or two-way trusts:
• One-way trusts: Based on the direction of the trust, one-way trust can further be broken into either incoming trust or outgoing trusts. One way trust can be transitive or nontransitive:
• Incoming Trust: With incoming trust, the trust is created in the trusted domain, and users in the trusted domain are able to access network resources in the trusting domain or other domain. Users in the other domain cannot however access network resources in the trusted domain.
• Outgoing Trust: In this case, users in the other domain able to access network resources in the initiating domain. Users in the initiating domain are not able to access any resources in the other domain.
• Two-way trusts: A two-way trust relationship means that where Domain1 trusts Domain2, then Domain2 trusts Domain1. The trust basically works both ways, and users in each domain are able to access network resources in either one of the dolmans. A two-way, transitive trust relationship is the trust that exists between parent domains and child domains in a domain tree. In two-way transitive trust, where Domain1 trusts Domain2 and Domain2 trusts Domain3, then Domain1 would trust Domain3 and Domain3 would trust Domain1.Two-way, transitive trust is the default trust relationship between domains in a tree. It is automatically created and exists between top-level domains in a forest.
• Trusts can be implicit or explicit trusts:
• Implicit: Automatically created trust relationships are called implicit trust. An example of implicit trust is the two-way, transitive trust relationship that Active Directory creates between a parent and child domains.
• Explicit: Manually created trust relationships are referred to as explicit trust.

Window Server 2003 Active Directory Forest Trust Capability

Forest trust is a new feature introduced with Windows Server 2003 Active Directory. To better understand the feature, lets first look at how forest trust was established in the Windows NT and Windows 2000 domain structures. In these domain structures, when users located in one forest needed to access resources located in a different forest, an external trust relationship had to be defined between the two domains. External trusts are one-way and nontransitive in nature. This in turn increases the Administrative effort required to create and maintain the external trusts needed to enable forest trust in the Windows NT and Windows 2000 domain structures. Forest trust on the other hand enables you to create two-way trust relationships between all domains in two forests. The number of external trusts that has to be configured in Windows NT and Windows 2000 domain structures is reduced in Windows Server 2003 Active Directory domains. The trust between the Active Directory forests is transitive in nature.

Types of Active Directory Trust Relationships

The types of trust relationships that can be created and configured for Active Directory domains are discussed in this section. As an Administrator for Active Directory Windows Server 2003 domains, it is important to understand the different types of trust that are supported in Windows Server 2003, and to know which trust relationship to create for the different network resource access requirements that exist within your organization.

• Tree-root trust: Tree-root trust is automatically/implicitly created when a new tree root domain is added to a forest. The trust relationship exists between two root domains within the same forest. For instance, if you have an existing forest root domain, and you add a new tree root domain to the same forest, tree-root trust is formed between the new tree root domain and the existing forest root domain. Tree-root trust is transitive and two-way.
• Parent-child trust: Parent-child trust is implicitly established when new child domains are added to a domain tree. Parent-child trust is a two-way, transitive trust relationship. Active Directory automatically creates a trust relationship between the new child domain, and the domain directly above it in the domain namespace hierarchy. What this means is that the trust relationship exists between those domains that have a common contiguous DNS namespace and who are part of the same forest. Parent-child trust enables authentication requests of child domains to be passed through the parent domain for authentication. In addition, when a new domain is added to the tree, trust relationships are created with each domain in the tree. This means that network resources in the individual domains of the tree can be accessed by all other domains in the tree.
• Shortcut trust: Shortcut trust is explicitly created by an Administrator, and can defined to be either one-way transitive trust, or two-way transitive trust. Shortcut trust is usually created when you want to speed up, or enhance authentication performance between two domains in different trees but within the same forest. One-way shortcut trust should be created when users in Domain1 need to access Active Directory objects in Domain2 but users in Domain2 do not need to access objects in Domain1. Two-way shortcut trust should be created when users in each domain need to access objects in each other domain.
• Realm trust: Realm trust is explicitly created by an Administrator, and can be defined as either transitive trust or nontransitive trust, and can also either be one-way trust or two-way trust. Realm trust enables you to create a trust relationship between a Windows Server 2003 Active Directory domain and a non-Windows Kerberos version 5 realm. Realm trust therefore facilitates interoperability between a Windows Server 2003 domain and a realm used in Kerberos version 5 implementations.
• External trust: External trust is explicitly defined by an Administrator to enable trust between domains that are located in different forests, and to create trust between an Active Directory domain and a down-level Windows NT 4 domain. External trust is always nontransitive but can be either one-way trusts or two-way trusts. External trust is usually only created in Windows Server 2003 Active Directory environments when users need to access network resources in a domain that resides in a different forest, and forest trust cannot be created between the two domains. When external trust is created between an Active Directory domain and a down-level Windows NT 4 domain, it is a one-way, nontransitive trust relationship.
• Forest trust: Forest trust is explicitly created by an Administrator to enable trust between two Active Directory forests. Forest trust is transitive in nature, and can either be one-way or two-way. Forest trust is only available in Windows Server 2003. Before you can create forest trust between two forests, each domain in the particular forests, and each forest, has to be raised to, and running at the Windows Server 2003 functional level. Because forest trust is created between two root domains of two forests, it can create two-way trusts with each domain within the two forests. This basically means that users would be able to access Active Directory objects between all domains encompassed by the particular forest trust relationship.

Planning Considerations for Trust Relationships

Tree-root trust and Parent-child trust is implicitly created by Active Directory when new domains are created. What this means is that you do not need to explicitly create these trusts, nor do you have to perform any configuration or management tasks for the trust relationships.

Shortcut trust, Realm trust, External trust and Forest trust differ to Tree-root and Parent-child trust, in that the former four trusts have to be explicitly created and managed. Because of the different types of trust relationships that can be created, you need to plan which type of trust relationship to create for the domains within your Active Directory environment.

Shortcut Trust

Before you can create any shortcut trusts, you must be a member of the Enterprise Admin or Domain Admin groups in each domain in the forest. Another requirement is that the domains you are creating shortcut trust for, are Windows Server 2003 domains that reside in the same forest. As mentioned earlier, Shortcut trust is usually created to speed up authentication between two domains in different trees but within the same forest. Shortcut trust can be one-way transitive trust, or two-way transitive trust. What shortcut trust essentially does is it shortens the trust path traversed for authentication requests made between domains of different trees. Shortcut trust is typically configured in an intricate forest where users continually need to access resources of domains belonging to different trees. Shortcut trust improves query response performance as well.

• You would need to create one-way shortcut trust when the optimized trust path is only needed for one of the domains in the trust. The other domain's users would need to transverse the full trust path when handling authentication requests.
• You would need to create two-way shortcut trust when the users in each domain need to use the shortened trust path for authentication requests.

The Active Directory tool that you use to create shortcut trust is the Active Directory Domains and Trusts console. The console enables you to specify selective authentication for incoming shortcut trust and outgoing shortcut trust. What this means is that you can set authentication differently for the two forms of trust. When you set selective authentication for incoming shortcut trust, you would need to specify permissions for every resource that users in the other domain should be able to access. If domain wide authentication is specified on the incoming shortcut trust, users in the other domain and users in the local domain have the identical permissions to network resources.

Realm Trust

In order to create realm trust, you should have Enterprise Admin or Domain Admin permissions for the Windows Server 2003 domain, and you should have the permissions required for the non-Windows Kerberos version 5 realm. You would typically create realm trust to enable trust between a Windows Server 2003 domain and a MIT or UNIX v5 Kerberos realm. You can create Realm trust as either transitive or nontransitive trust, and as either be one-way trust or two-way.

External Trust

You need to be a member of Enterprise Admins or Domain Admins of the Windows Server 2003 domain and you need to be a member Enterprise Admins or Domain Admins of the other domain, to create one-way External trust or two-way External trust.

Recall from an earlier discussion, that External trust is always nontransitive in nature, and is typically used to enable trust between an Active Directory domain and a down-level Windows NT 4 domain. When the External trust is created, security principals (Users, Groups, Computers) from the external domain are able to access network resources in the internal domain (Windows Server 2003 domain). The foreign security principals can be examined in the Active Directory Users And Computers console. The only requirement is that Advanced Features are enabled. You can explicitly define different authentication for incoming External trusts and outgoing External trusts.

Forest Trust

You need to belong to the Enterprise Admins groups in each forest that you want to create forest trust between. In addition to this, the domains within each forest and each particular forest have to be raised to the Windows Server 2003 functional level.

Forest trust is typically created when enterprises merge or takeovers occur, and each company within the enterprise still needs to maintain some form of administrative independence. This trust relationship enables users to access Active Directory objects between all domains impacted by the particular forest trust relationship. Forest trust is transitive, and can be one-way or two-way trust. You would create one-way Forest trusts when users in the trusted forest need to access Active Directory objects in the trusting forest, but those users in the trusting forest do not need to access resources in the trusted forest. You would create two-way Forest trust in cases where users in either one of the forests need to access resources hosted in the other forest.

How to create Shortcut trust using Active Directory Domains and Trusts

1. Open the Active Directory Domains and Trusts console.
2. In the console tree, locate and right-click the domain for which you want to configure Shortcut trust, and click Properties from the shortcut menu.
3. When the Properties dialog box of the domain you chose opens, click the Trusts tab
4. Click the New Trust button at the bottom of the dialog box.
5. This action starts the New Trust Wizard.
6. Click Next on the Welcome To The New Trust Wizard page.
7. When the Trust Name page opens, enter the DNS name of the other domain that you want to create trust with. Click Next.
8. On the Direction Of Trust page, you can select one of the following options:
• Two-Way: Click this option if you want to define two-way Shortcut trust. This would mean that users in each domain would be able to access resources in both domains.
• One-Way: Incoming: This option should be enabled if you only want users of this particular domain to be able to access resources in the other domain.
• One-Way: Outgoing: This option should be selected if you want users of the other domain to be able to access resources in this particular domain.

Click Next.

9. When the Sides Of Trust page opens, you can select one of these options:
• This Domain Only: Selecting this option creates the Shortcut trust in the local domain.
• " Both This Domain And The Specified Domain: Selecting this option creates the Shortcut trust in the local domain and in the other domain that you indicated.

Click Next

10. The New Trust Wizard displays different pages next, based on what you have selected in the previous two steps.
11. Where Two-Way or One-Way: Outgoing was selected in Step 8, and This Domain Only was selected in Step 9, the wizard displays the Outgoing Trust Authentication Level page. You can select either Domain Wide Authentication or Selective Authentication. Choosing Domain Wide Authentication results in the automatic authentication of users in the other domain for network resources in the local domain. If you select Selective Authentication, the users in the other domain are not automatically authenticated for resources in the local domain. Click Next. The wizard then displays the Trust Password page. This is where you have to set the password for the trust. Click Next.
12. Where One-Way: Incoming was selected in Step 8, and This Domain Only was selected in Step 9, the wizard displays the Trust Password page. Enter the password for the trust in the boxes. Click Next.
13. Where Both This Domain And The Specified Domain was selected in Step 9, the wizard displays the User Name And Password page. You have to provide the user name and password of an Administrator account that has the necessary rights in the other domain. Click Next.
14. The Trust Selections Complete page is displayed next. All the settings that you previously specified are shown on this page. After checking that the configuration settings are correct, click Next.
15. The New Trust Wizard now creates the shortcut trust relationship.
16. When the Trust Creation Complete page appears, click Next.
17. The Confirm Outgoing Trust page allows you to verify outgoing trust. Click Yes, Confirm The Outgoing Trust or click No, Do Not Confirm The Outgoing Trust. Click Next.
18. The Confirm Incoming Trust page allows you to verify incoming trust. Click Yes, Confirm The Incoming Trust or click No, Do Not Confirm The Incoming Trust. Click Next.
19. Click Finish when the Completing The New Trust Wizard page is displayed.

How to create Realm trust using Active Directory Domains and Trusts

1. Open the Active Directory Domains and Trusts console.
2. In the console tree, locate and right-click the domain for which you want to configure Realm trust, and click Properties from the shortcut menu.
3. When the Properties dialog box of the domain opens, click the Trusts tab
4. Click the New Trust button at the bottom of the dialog box.
5. Click Next on the Welcome To The New Trust Wizard page.
6. When the Trust Name page opens, enter the DNS name of the other domain for the realm trust. Click Next.
7. The Trust Type page appears next. Select Realm Trust. Click Next.
8. When the Transitivity Of Trust page opens, select one of the following options:
• Nontransitive: Select this option if the Realm trust should end with the two domains between which it is created.
• Transitive: Select this option if you want this particular domain and all other trusted domains to create trust with the realm and other trusted realms.

Click Next

9. On the Direction Of Trust page, you can select one of the following options:
• Two-Way: Click this option if you want to define two-way Realm trust. This would mean that users in the domain and realm would be able to access resources in both the domain and realm.
• One-Way: Incoming: This option should be enabled if you only want users of this particular domain to be able to access resources in the realm.
• One-Way: Outgoing: This option should be selected if you only want users of realm to be able to access resources in this particular domain.

Click Next

10. The wizard displays the Trust Password page next. Enter the password for the trust in the boxes. Click Next.
11. The Trust Selections Complete page is displayed next. All the settings that you previously specified are shown on this page. After checking that the configuration settings are correct, click Next.
12. The New Trust Wizard creates the Realm trust relationship.
13. Click Finish on the Completing The New Trust Wizard page.

How to create External trust using Active Directory Domains and Trusts

You first have to specify a DNS forwarder for each of the DNS servers that are authoritative for the trusting forests.

You use the DNS Administration tool to configure DNS forwarders,

1. Click Start, click Administrative Tools, and click DNS.
2. Right-click the DNS server, and click Properties from the shortcut menu.
3. When Properties dialog box of the DNS server opens, click the Forwarders tab.
4. Click New, and enter the DNS domain name that needs queries to be forwarded.
5. In the Selected Domain's IP Address List, enter the IP addresses of the servers to which these queries are forwarded.
6. Click Add
7. Click OK
8. Open the Active Directory Domains and Trusts console.
9. In the console tree, locate and right-click the domain in the initial forest which you want to configure External trust, and click Properties from the shortcut menu.
10. When the Properties dialog box of the domain opens, click the Trusts tab
11. Click the New Trust button at the bottom of the dialog box.
12. Click Next on the Welcome To The New Trust Wizard page.
13. When the Trust Name page opens, enter the DNS name of the domain in the other forest. Click Next.
14. The Trust Type page appears next if the forest functional level is raised to Windows Server 2003 forest functional level. Select the External Trust option. Click Next.
15. The Direction Of Trust page is displayed straight after the Trust Name page if the forest functional level is not raised to Windows Server 2003. You can select one of the following options:
• Two-Way: Click this option if you want to define two-way External trust. This would mean that users in each domain would be able to access resources in both domains.
• One-Way: Incoming: This option should be enabled if you only want users of this particular domain to be able to access resources in the other domain.
• One-Way: Outgoing: This option should be selected if you only want users of the other domain to be able to access resources in this particular domain.

Click Next

16. When the Sides Of Trust opens, you can select one of these options:
• This Domain Only: Selecting this option creates the trust in the local domain
• Both This Domain And The Specified Domain: Selecting this option creates the trust in the local domain and in the other domain.

Click Next

17. The New Trust Wizard displays different pages next, based on what you selected in the previous two steps.
18. Where Two-Way or One-Way: Outgoing was selected in Step 8, and This Domain Only was selected in Step 9, the wizard displays the Outgoing Trust Authentication Level page. You can select either Domain Wide Authentication or Selective Authentication. Choosing Domain Wide Authentication results in the automatic authentication of users in the other domain for network resources in the local domain. If you select Selective Authentication, the users in the other domain are not automatically authenticated for resources in the local domain. Click Next. The wizard then displays the Trust Password page. This is where you have to set the password for the trust. Click Next.
19. Where One-Way: Incoming was selected in Step 8, and This Domain Only was selected in Step 9, the wizard displays the Trust Password page. Enter the password for the trust. Click Next.
20. Where Both This Domain And The Specified Domain was selected in Step 9, the wizard displays the User Name And Password page. You have to provide the user name and password of an Administrator account that has the necessary rights. Click Next.
21. When the Trust Selections Complete page is displayed, the settings that you previously specified are shown. After checking that the configuration settings are correct, click Next.
22. The New Trust Wizard now creates the External trust.
23. When the Trust Creation Complete page appears, click Next.
24. The Confirm Outgoing Trust page allows you to verify outgoing trust. Click Yes, Confirm The Outgoing Trust or click No, Do Not Confirm The Outgoing Trust. Click Next.
25. The Confirm Incoming Trust page allows you to verify incoming trust. Click Yes, Confirm The Incoming Trust or click No, Do Not Confirm The Incoming Trust. Click Next.
26. Click Finish.

How to create Forest trust using Active Directory Domains and Trusts

You first have to specify a DNS forwarder for each of the DNS servers that are authoritative for the trusting forests before you can use the Active Directory Domains and Trusts console to create Forest trust relationships. Use the DNS Administration Tool to configure the necessary DNS forwarder. In addition to this, ensure that the forest functional level for each forest is set to Windows Server 2003 forest functional level.

1. Open the Active Directory Domains and Trusts console.
2. In the console tree, locate and right-click the domain in the initial forest which you want to configure Forest trust for, and click Properties from the shortcut menu.
3. When the Properties dialog box of the domain opens, click the Trusts tab and then click the New Trust button.
4. In the Welcome To The New Trust Wizard page, click Next
5. Enter the DNS name of the domain in the other forest on the Trust Name page. Click Next.
6. In the Trust Type page, select the Forest Trust option. Click Next.
7. On the Direction Of Trust page select one of the following options:
• Two-Way: Click this option if you want to define two-way Forest trust. This would mean that users in each forest would be able to access resources in both forests.
• One-Way: Incoming: This option should be enabled if you only want users of this particular forest to be able to access resources in the other forest.
• One-Way: Outgoing: This option should be selected if you only want users of the other forest to be able to access resources in this particular forest.

Click Next

8. When the Sides Of Trust opens, you can select one of these options:
• This Domain Only: Selecting this option creates the trust in the local forest.
• Both This Domain And The Specified Domain: Selecting this option creates the trust in the local forest and in the other forest.

Click Next

9. Where Two-Way or One-Way: Outgoing was selected in Step 7, and This Domain Only was selected in Step 8, the wizard displays the Outgoing Trust Authentication Level page. You can select either Domain Wide Authentication or Selective Authentication. Choosing Domain Wide Authentication results in the automatic authentication of users in the other forest for network resources in the local forest. If you specify Selective Authentication, the users in the other forest are not automatically authenticated for resources in the local forest. Click Next. The wizard then displays the Trust Password page. This is where you have to set the password for the trust. Click Next.
10. Where One-Way: Incoming was selected in Step 7, and This Domain Only was selected in Step 8, the wizard displays the Trust Password page. Enter the password for the trust. Click Next.
11. Where Both This Domain And The Specified Domain was selected in Step 8, the wizard displays the User Name And Password page. You have to provide the user name and password of an Administrator account that has the necessary rights. Click Next.
12. When the Trust Selections Complete page is displayed, the settings that you previously specified are shown. After checking that the configuration settings are correct, click Next.
13. The New Trust Wizard now creates the Forest trust.
14. When the Trust Creation Complete page appears, click Next.
15. The Confirm Outgoing Trust page allows you to verify outgoing trust. Click Yes, Confirm The Outgoing Trust or click No, Do Not Confirm The Outgoing Trust. Click Next.
16. The Confirm Incoming Trust page allows you to verify incoming trust. Click Yes, Confirm The Incoming Trust or click No, Do Not Confirm The Incoming Trust. Click Next.
17. Click Finish on the Completing The New Trust Wizard page.

How to remove existing Active Directory trust relationships

1. Open the Active Directory Domains And Trusts console.
2. In the console tree, right-click a domain that is specified in the trust relationship which you want to remove, and select Properties from the shortcut menu.
3. Click the Trusts tab.
4. Use the Domains Trusted By This Domain (Outgoing Trusts) box to select the trust you want to remove.
5. Click the Remove button alongside the box.
6. If you want to remove the trust from the local domain only, click the No, Remove The Trust From The Local Domain Only option, and click OK
7. If you want to remove the trust from the local domain and the other domain, click the Yes, Remove The Trust From Both The Local Domain And The Other Domain option. Enter the appropriate user name and password combination in the User Name and Password boxes and click OK.
8. Click Yes to verify that you want to remove the trust relationship.
9. Use the Domains That Trust This Domain (Incoming Trusts) box to select the trust you want to remove.
10. Choose the appropriate option in the Active Directory dialog box, and then click OK
11. Click Yes to verify that you want to remove the trust relationship.

How to validate existing Active Directory trust relationships

1. Open the Active Directory Domains And Trusts console
2. In the console tree, right-click a domain that is defined in the trust relationship which you want to validate, and select Properties from the shortcut menu.
3. Click the Trusts tab
4. You can select the trust you want to examine in one of the following boxes:
• Domains Trusted By This Domain (Outgoing Trusts) box
• Domains That Trust This Domain (Incoming Trusts) box
5. After you have selected the trust, click the Properties button.
6. When the Properties dialog box of the trust opens, click the Validate button.
7. If you only want to verify outgoing trust, click the No, Do Not Validate The Incoming Trust option and click OK.
8. If you want to verify incoming trust and outgoing trust, click Yes, Validate The Incoming Trust option. Enter the appropriate user name and password combination in the User Name and Password boxes and click OK
9. After the trust is validated, a message is displayed indicating this.
10. Click OK

How to create and manage trust relationships using the Windows Domain Manager Command-line Tool

You can use the Windows Domain Manager command line tool to create and manage Active Directory trusts. Netdom.exe is included with the Windows Support Tools available on the Windows Server 2003 Setup CD-ROM.

The netdom trust command is used to create and manage trusts:

netdom trust TrustingDomainName /d: TrustedDomainName [/ud:[Domain\]User]

[/pd:{Password|*}] [/uo: User] [/po:{Password|*}] [/verify] [/reset] [/passwordt: NewRealmTrustPassword]

[/add [/realm]] [/remove [/force]] [/twoway] [/kerberos] [/transitive[:{YES|NO}]] [/verbose]

• TrustingDomainName, indicates the name of the trusting domain
• /d: TrustedDomainName, indicates the name of the trusted domain. If this parameter is not specified, the domain to which this computer is a member of is utilized.
• /ud:[Domain\]User, indicates the user account that should be used. If this parameter is not specified, the current user account is used.
• /pd:{Password|*}, indicates the password associated with the user account.
• /verify, verifies the trust password for a particular trust
• /reset, resets the trust password for trusted domains
• /passwordt: NewRealmTrustPassword, defines the trust password for the Windows domain if a non-Windows Kerberos realm is defined.
• /add, indicates that a trust relationship should be created
• /realm, defines the trust as being created with a non-Windows Kerberos realm
• /remove, indicates that the trust relationship should be removed
• /force, indicates that the trusted domain object as well as the cross-reference object for the other domain, should be removed.
• /twoway, indicates that two-way trust should be created.
• /kerberos, indicates that the trust protocol should be the Kerberos protocol.
• /transitive[:{YES|NO}], indicates whether trust should be created as transitive or nontransitive trust.
• /verbose, indicates verbose output should be displayed.

Bookmark Understanding Trust Relationships

Latest Blog Posts

• Acai Berry Spam via MSN

• Obama Seeks Power to Shut Down the Internet

• Help Beta Test Tech-FAQ 2.0!

• Windows 7 Forum

• Boston College: Ability to Use a Command Line is a Sign of Criminal Activity

• Google Hacked?

• Recycle your old phone – Make some money, and save the environment too!

• SourceForge vs. Freshmeat

• Fastest Web Browser: Google Chrome

• New Webmaster Forum