The tree-root trust is a trust that is created between any child domain and the root domain. This is especially needed in large organizations that might have multiple levels of child domains. This relationship will allow any user in the domain to have access to any resource in the domain if the user has the proper permissions granted.Īn additional transitive, two-way trust is created to simplify the navigation, the tree-root trust. Because the trusts are transitive, these requests pass upwards from child to parent until they reach the root of the domain namespace. It allows authentication requests made in the child domain to be validated in the parent domain.
The default trust relationships inside a Windows 2000 and Windows Server 2003 forest are transitive, two-way trusts.Ī parent and child trust is a transitive, two-way trust relationship. Four additional types of trusts can be created using the New Trust Wizard or the command-line utility netdom. When the Active Directory Installation Wizard is used to create a new domain within an existing forest, two default trusts are created: a parent and child trust, and the tree-root trust.
To take full advantage of these relationships, the administrator must know about the various types of trust that exist, and when to use them. Administrators can now add the users of the other domains to their access control lists (ACLs) to control access to a resource. The primary advantage of these relationships is that administrators no longer need to create multiple user accounts for each user who needs access to resources within each domain. On the exam, you might be given a scenario that will require you to determine the type of trust that will best meet the requirements in the scenario.īecause there are several new types of trust, you should ensure that you know when it is appropriate to use the different trusts. On the day of the test you will want to review the types of trusts as well as when to use each of the different trusts.
A shortcut trust, as its name indicates, creates a direct trust between the two domains in different trees. Connection is quicker because, when two domains in different trees connect via the implicit trusts that exist by default, the trust path must go all the way up the tree to the root domain, across to the other tree’s root domain, and back down the second tree. By creating a shortcut, one domain can connect with another quickly, improving logon times between domains. This type of trust is used to connect two domains in a forest, and is particularly useful when the domains are in different trees. This means that either one domain can trust another but not vice versa, or both domains can trust each other. In addition to this type of trust, additional trusts can be created: ▪Ī shortcut trust is transitive, and can be either one-way or two-way. The two-way transitive trust means that both domains trust one another, as well as any other domains with which they have similar trust relationships. Earlier, we discussed how parent and child domains and domain trees use a two-way transitive trust to share resources between domains. Using the Active Directory Domains and Trusts console, you can create a variety of different types of trusts between domains and forests. However, it is recommended that you run this command on the Schema Master. You can run this command on any DC in the forest. To run adprep /rodcprep you have to be a member of the Enterprise Admins group of Active Directory. Only one Infrastructure Master is needed per domain. You must run this command from each Infrastructure Master FSMO role in each domain after you have run adprep /forestprep in the forest. To run adprep /domainprep you have to be a member of the Domain Admins or Enterprise Admins group of Active Directory. Only one Schema Master is needed per forest. You must run this command from the DC in the forest that has the Schema Master FSMO role. To run adprep /forestprep you have to be a member of the Enterprise Admins and Schema Admins groups of Active Directory. Make sure the SYSVOL folder is accessible to clients. Making sure the installation was successful, you can verify the AD DS installation by checking the following: ▪Ĭheck the Directory Service log in Event Viewer for errors.