4.3 - Trusts

Trusts

https://learn.microsoft.com/it-it/entra/identity/domain-services/media/concepts-forest-trust/forest-trusts-diagram.png

A trust is a relationship between two domains or forests that allows users from one domain or forest to access resources in another. Trusts can be either automatic (such as parent-child trusts within the same forest) or manually established (such as external or forest trusts).

Trusted Domain Objects (TDOs) are used to represent these trust relationships within a domain.

Trust Direction

• One-Way Trust: A unidirectional relationship where users in the trusted domain can access resources in the trusting domain, but not the other way around.

• Two-Way Trust: A bidirectional relationship where users from both domains can access resources in each other's domains.

Trust Transitivity

• Transitive Trusts: These can be extended to establish trust with additional domains. All default intra-forest trusts (such as tree-root and parent-child) are two-way transitive trusts.

• Non-Transitive Trusts: These trusts cannot be extended to other domains. They can either be one-way or two-way. Non-transitive trusts are typically created between two domains in different forests (known as external trusts).

---

Default (Automatic) Trusts

• Parent-Child Trust: Created automatically when a new domain is added under an existing domain in the namespace hierarchy. Example: dollarcorp.moneycorp.local is a child domain of moneycorp.local. Always two-way and transitive.

• Tree-Root Trust: Created automatically when a new domain tree is added to a forest. Always two-way and transitive.

External Trusts

• Established between two domains in different forests when the forests themselves do not have a trust relationship.

• Can be one-way or two-way.

• Always non-transitive.

Forest Trusts

• Created between the root domains of two forests.

• Cannot be automatically extended to additional forests (i.e., no implicit transitive trust with a third forest).

• Can be either one-way or two-way, and are transitive within the connected forests.

---

Domain Trust Enumeration

To enumerate domain trusts:

# List all domain trusts for the current domain
Get-DomainTrust

# List trusts for a specific domain
Get-DomainTrust -Domain us.dollarcorp.moneycorp.local

# Using Active Directory module
Get-ADTrust
Get-ADTrust -Identity us.dollarcorp.moneycorp.local

---

Forest Enumeration

To map information about the forest:

# Get details about the current forest
Get-Forest
Get-Forest -Forest eurocorp.local

# Using Active Directory module
Get-ADForest
Get-ADForest -Identity eurocorp.local

Retrieve all domains in the current forest:

Get-ForestDomain
Get-ForestDomain -Forest eurocorp.local

(Get-ADForest).Domains

Retrieve all global catalogs for the forest:

Get-ForestGlobalCatalog
Get-ForestGlobalCatalog -Forest eurocorp.local

Get-ADForest | Select-Object -ExpandProperty GlobalCatalogs

Map forest trust relationships (if any exist):

Get-ForestTrust
Get-ForestTrust -Forest eurocorp.local

# Alternative using Active Directory module
Get-ADTrust -Filter 'msDS-TrustForestTrustInfo -ne "$null"'

Labs

• Learning Object 4 lab