When To Create A Forest Trust

By Author: unknownmem
Total Articles: 129
Comment this article

Creating a trust between two forest root domains provides CompTIA a transitive relationship between every domain residing within each forest, and can be one- or two-way. Forest trusts are useful for application service providers, organizations undergoing mergers or acquisitions, collaborative business extranets, and organizations seeking solutions for administrative autonomy.
One-Way Forest Trusts In a one-way forest trust, all domains in the trusted forest can utilize resources in the trusting forest, although members in the trusting forest cannot access resources in the trusted forest. For example, if you create a one-way forest trust between Forestl (the trusted forest) and Forest2 (the trusting forest), then users in Forestl can access resources in Forest2 (assuming the users have permissions on resources). However, users in Forest2 will not be able to access resources in Forestl until a second forest trust is established.
Two-Way Forest Trusts In a two-way forest trust, every domain in one forest trusts every domain in its partner forest implicitly. Users in either forest ...
... can access any resource located anywhere in either forest (assuming the users have permissions to the resource).
Accessing Resources Across Domains Joined by External Trust Using Active Directory Domains and Trusts, you can determine the CCNA exam scope of authentication between two forests that are joined by a forest trust. You can set selective authentication differently for outgoing and incoming forest trusts, which allows you to make flexible access con?trol decisions between forests. You set selective authentication on the Outgoing Trust Authentication Level page when you set up a forest trust using the New Trust Wizard.
If you use forest-wide authentication on the incoming external trust, users from the outside forest have the same level of access to resources in the local forest as users who belong to the local forest. For example, if ForestA has an incoming forest trust from ForestB and forest-wide authentication is used, any user from ForestB can access any resource in ForestA (assuming the user has the required permissions).
If you set selective authentication on an incoming forest trust, you must manually assign permissions on each domain and resource to which you want users in the sec?ond forest to have access. To do this, set the access control right Allowed To Authen?ticate on an object for that particular user or group from the second forest.
When a user authenticates across a trust with the Selective Authentication option enabled, an Other Organization security ID (SID) is added to the user's authorization data. The presence of this SID prompts a check on the resource domain to ensure that the user is allowed to authenticate to the particular service. Once the user is authenticated, if the Other Organization SID is not already present, the server to which the user authenticates acids the This Organization SID. Only one of these special Free practice exams for MCTS can be present in an authenticated user's context.