One NT domain is said to trust another when the former, called the trusting domain, relies on the latter, the trusted domain, to authenticate the users who will access the trusting domain's resources. For example, a user logs into the trusted domain and then opens a file in the trusting domain without logging into the latter. The trusted domain provides the trusting domain with the user's Security Access Token, which the latter uses to determine if the user has the requisite permissions in the file's Access Control List.
Establishing a trust relationship between two domains requires the active participation of the administrators of both domains. The process typically begins with the trusted domain, where the administrator enters the name of the trusting domain and a password. Then the trusting domain's administrator can set up the other side of the relationship, entering the trusted domain's name and the same password. This password serves to provide both domains with a shared secret. Both domains use the password to encrypt communications between them.
Trust relationships between domains are strictly one-way and point-to-point. In other words, the fact that domain B trusts domain A does not mean that A trusts B. The administrators of both domains would have to set up the latter relationship separately if they need two-way trust. In addition, the trust relationship between one domain and another ends with the trusted domain and isn't transitive to other domains. For example, assume domain A trusts B and B trusts C. Under these circumstances, A does not trust C, although B is a common point. For A to trust C, the administrators of A and C must set up a separate trust relationship.
Internet FAQ top