Analyzing and Optimizing Trust Relationships
Aside from having a firm understanding of replication, you also need to examine trust relationships between your domains and sites. A domain trust is a relationship between two domains. Through the trust relationship, users can access resources in each other's domain because of the trust relationship. In previous versions of Windows, trust relationships were somewhat complicatedyou had a trusted domain and a trusting domain, but the trusted domain didn't necessarily trust the trusting domain and so forth. Windows 2000 uses transitive trusts, which makes this whole process much easier. Transitive trusts are established in a domain tree or forest. Whenever a new domain is added to the tree or forest, the transitive trust is added for that domain. A transitive trust is a two-way relationship in that two domains trust each other, but they also trust other domains transitively. For example, if Domain A trusts Domain B, and Domain B trusts Domain C; Domain A automatically trusts Domain C due to the transitive nature of the trust relationship.
In Windows 2000, all domains use the transitive trust model, but what happens if you have a mixture of Windows 2000 domains and Windows NT domains? In this case, you use the Active Directory Sites and Services tool to manually create a nontransitive trust between those two domains.
So, Windows 2000 trusts are transitive and automatic. But what if you need to make changes to the automatic transitive trusts? You can make those changes as necessary by using the Active Directory Domains and Trusts tool. Access the properties sheets for the desired domain and then click the Trusts tab, as shown in Figure 3.
Figure 3 Trusts tab.
The Trusts tab lists the transitive trust relationships between domains. You select the domains, click the Add buttons, and use this interface to establish other nontransitive trusts with Windows NT domains. You can also use this tab to create external trusts to domains that are outside of the forest. In some circumstances, you may need to manually connect another domain to your forest configuration so that users can access resources. External trusts are one-way and nontransitive, although you can combine two one-way trusts to create a two-way trust relationship.
You can also use the Trusts tab to create shortcut trusts, also called cross-link trusts. In complex forests, many different paths are used to configure and maintain the trust relationships between domains. In many cases, these relationships are transitive through other domains. You can create a shortcut trust so that you can shorten the pathway between two domains that use each other's resources on a regular basis. This feature allows you to create a two-way trust between the two domains, or create two domain trees within a forest. Cross-link trusts can be established between any two domains in the same tree or forest, they must be transitive, and you have to manually set them up in each direction. However, cross-link trusts can greatly optimize your Active Directory environment and speed the access and retrieval of network resources for your use.
As with all Active Directory implementation, the manual adjustment of trust relationships requires careful thought and planning. When adjusting trust relationships or manually configuring cross-link trusts, always keep in mind that optimization is the point. Test any new trust relationship configurations to make sure they meet the needs of your Active Directory environment.