Administrative Security and Trust Relationships
Domains are fundamental security boundaries, which by default restrict users in one domain from gaining access to objects in another domain. However, "trust" relationships can be created between domains to allow object accessibility across these secure borders.
Because administration can be delegated to domains and organizational units, Windows 2000 establishes certain administrative defaults. The Domain Administrator group can control activities only within that domain, which means that administrative privileges do not automatically flow down to other domains. Thus, a system administrator for the root domain must be explicitly allowed rights to administrator child domains.
Administrative rights on another domain can be either limited or full. To be granted full rights in another domain, the user must be specifically added to that domain's Administrator group. For more limited rights, that administrator must grant permissions to target objects or organizational units.
Remember that domains are organized into trees that share a common namespace, and are composed of a single domain or a root domain with child domains. All domains in the tree share a common Active Directory. Active Directory objects are contained on domain controllers in each of the individual domains.
Users gain access across domains within the tree through trust relationships. The hierarchical structure of the domain tree (extending internally to the organizational units) permits the flow of permissions to an OU. With appropriate group and OU permissions, a user in one domain can use resources or gain access to objects in another domain.
In trust relationships, user logons are honored between trusted domains. When two trees are trusted at the root domain, users in one tree can log on to domains in the other tree. However, specific access to objects is based on specific permissions associated with that user and the object's ACL. The Active Directory supports two trust relationship models:
A two-way transitive trust is automatically achieved between domains in the same tree, or it can be established between root domains on different trees.
Explicit one-way trusts are created between specific domains in two different forests; and provide one-way, restricted permissions. The domain Sales.EntCert.com has granted logon authentication to users in Sales.unint.com; however, the relationship is not bidirectional, nor does it flow to any other domain in the tree or forest. (Note: Explicit trust can also be established with the same forest to provide shortcuts between domains.)