Domain Trusts
One-Way vs Two-Way Trust
In a one way trust, Domain A trust Domain B, so users in Domain B can access resources in Domain A, but the contrary is not possible. Meaning that users in Domain A can not access ressource in Domain B.
In a two way trusts, users from Domain A could access resources in Domain B and vice-versa.
Transitive vs Non Transitive Trust
In transitive trust if the domain A trust domain B, and domain B has a transitive trust with domain C, then domain A also trusts domain C. In others words, the trust extended to what the child domain trusts.
In a non-transitive trust, A would only trust B.
Types of Trusts
Child-Parent Trust
A child parent trust is automatically created when a child domain is added to a parent domain. By default, the trust is both two-way and transitive.
Tree-Root Trust
In a same forest, when a new domain tree root is added a two way transitive trust is created between the new tree root and all others existing tree root.
In the picture below two tree root domain exist. The first is the corp.tailspinttoys.com
and the second tree root is the corp.wingtiptoys.com
. The green circled arrow represents the two way transitive trust between the two tree root.
Forest Trusts
Trust relationships may exist between two forests. The trust relationship is established between the forest root of each forest. By default, the trust between two forests root is transitive. It can be one-way or two-way. For example, in the image below from Microsoft Learn illustrates bidirectional (two-way trust) between forests:
Users in Forest 1 can access resources in any domain in Forest 2, and vice versa.
Users in Forest 2 can access resources in any domain in Forest 1 and Forest 3, and vice versa.
Users in Forest 1 can NOT access resources in domains in Forest 3. Indeed, Forest trusts can not be extended to more than 1 forest. For users in Forest 1 to access resources in Forest 3, a trust relationship has to be explicitly stated.
External Trust
One-way non-transitive trusts that can exist between two domains in different forests. Needs to be manually established. Use SID filtering.
Short-cut or Cross-link Trust
One-way and non-transitive trust between two domain child. A direct trust is established between two child to facilitate authentication.
Trust Enumeration
Get all trusts relationships
The image below shows the kind of information we can get from using the Get-DomainTrust Powerview command. The SourceName parameters indicates from where the command get executed. We can also extract information about the TrustDirection and the Trist Attributes.
From below, we can see that a Parent-Child trust relationship exists between the Inlanefreight.local
and logistics.inlanefreight.local
domains. Another forest trusting relationship exist between Inlanefreight.local and freightlogistics.local. Again, this second trust relationship is transitive and bidirectional.
The same kind of information can be retrieved using the Get-ADTrust command from the Powershell ActiveDirectory module.
Last updated