A **trust** is a relationship between two domains or forests that allows users from one domain or forest to access resources in another.\
Trusts can be either **automatic** (such as parent-child trusts within the same forest) or **manually established** (such as external or forest trusts).
**Trusted Domain Objects (TDOs)** are used to represent these trust relationships within a domain.
### Trust Direction
* **One-Way Trust**:\
A unidirectional relationship where users in the *trusted domain* can access resources in the *trusting domain*, but not the other way around.
* **Two-Way Trust**:\
A bidirectional relationship where users from both domains can access resources in each other's domains.
### Trust Transitivity
* **Transitive Trusts**:\
These can be extended to establish trust with additional domains.\
All default intra-forest trusts (such as tree-root and parent-child) are **two-way transitive trusts**.
* **Non-Transitive Trusts**:\
These trusts **cannot** be extended to other domains. They can either be one-way or two-way.\
Non-transitive trusts are typically created between two domains in different forests (known as *external trusts*).
***
### Default (Automatic) Trusts
* **Parent-Child Trust**:\
Created automatically when a new domain is added under an existing domain in the namespace hierarchy.\
Example: `dollarcorp.moneycorp.local` is a child domain of `moneycorp.local`.\
Always **two-way** and **transitive**.
* **Tree-Root Trust**:\
Created automatically when a new domain tree is added to a forest.\
Always **two-way** and **transitive**.
### External Trusts
* Established between **two domains in different forests** when the forests themselves do not have a trust relationship.
* Can be **one-way** or **two-way**.
* Always **non-transitive**.
### Forest Trusts
* Created between the **root domains** of two forests.
* Cannot be automatically extended to additional forests (i.e., no implicit transitive trust with a third forest).
* Can be either **one-way** or **two-way**, and are **transitive** within the connected forests.
***
## Domain Trust Enumeration
To enumerate domain trusts:
```powershell
# List all domain trusts for the current domain
Get-DomainTrust
# List trusts for a specific domain
Get-DomainTrust -Domain us.dollarcorp.moneycorp.local
# Using Active Directory module
Get-ADTrust
Get-ADTrust -Identity us.dollarcorp.moneycorp.local
```
***
## Forest Enumeration
To map information about the forest:
```powershell
# Get details about the current forest
Get-Forest
Get-Forest -Forest eurocorp.local
# Using Active Directory module
Get-ADForest
Get-ADForest -Identity eurocorp.local
```
Retrieve all domains in the current forest:
```powershell
Get-ForestDomain
Get-ForestDomain -Forest eurocorp.local
(Get-ADForest).Domains
```
Retrieve all global catalogs for the forest:
```powershell
Get-ForestGlobalCatalog
Get-ForestGlobalCatalog -Forest eurocorp.local
Get-ADForest | Select-Object -ExpandProperty GlobalCatalogs
```
Map forest trust relationships (if any exist):
```powershell
Get-ForestTrust
Get-ForestTrust -Forest eurocorp.local
# Alternative using Active Directory module
Get-ADTrust -Filter 'msDS-TrustForestTrustInfo -ne "$null"'
```
### Labs
* [Learning Object 4 lab](/crtp-notes/readme/lab/4-lo-4.md)
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://dev-angelist.gitbook.io/crtp-notes/readme/network-security-2/2.1-2.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
