And that last part is quite significant, so let me reiterate it a bit more. If you have a trust relationship defined on your domain, your Windows NT clients cannot apply the user account and password mapping of the workgroup authentication model. Even if you have a user account and a password on your domain controller, you cannot use it to access a shared resource. This occurs because you are not a trusted member of the domain (i.e., you have no computer account on the domain). Therefore, you will be denied access to the shared resource. If this sounds a bit fuzzy, don’t worry. It even confuses me on some days, which is why we are going to look at trust relationships in more detail.

Trust Relationships

To reiterate, a trust relationship is a means of sharing a domain database on one domain with another domain. The domain database includes your user and group accounts. It provides the means to authenticate a user of a foreign domain (where the user account or group is defined) to access a network resource on a local domain. For example, if I am a member in the Admin domain and you are a member of the User domain, and the User domain trusts the Admin domain, I can access resources on the User domain. The way trust works is that the local domain (which is called the trusting domain) will request authentication of my user account from the foreign domain (the trusted domain). Once this authentication has occurred, it may be applied or denied to a resource on the local domain. In order to actually gain access to a resource, my user account (or a global group that my user account is a member of) must be granted access on the local domain.

---

TIP:  By using trust relationships, you can create an extremely large logical network server that can be used to authenticate all of your users and shared resources. You can think of a domain as a single physical super server, if you like. By creating multiple authentication and resource domains, you can extend this capability to build a network that will serve an almost unlimited number of users. The only real limitation to the number of users you can support will be based on your network bandwidth.

---

Again, let’s take a look at this, one step at a time. Let’s assume I am a member of the Domain Admins group on the domain called Admins. And there is a share called AdminShare on the local domain called UserDomain. AdminShare has the share-level privileges assigned to the local Administrator group. The local administrator group includes the global Domain Admins group by default. When you set up a trust relationship, the Admins\Domain Admins global group will be applied to the shared directory just as if it were a local member of the administrator group. This provides me with administrative privileges to the share. This is an example of a one-way trust relationship.

You can also set up a two-way trust relationship where the Admins domain is trusted by the User domain (as we just discussed), and where the Admins domain also trusts the User domain. Sound confusing? Well, it’s not really that bad. Let’s stretch our example a bit further to illustrate this concept. We’ll start again with the User domain Trusting the Admins domain to give me administrative privileges to the User domain. And then, we’ll set up a trust relationship where the Admins domain trusts the User domain, and you are a member of Users\Domain Users. We can give you user privileges to shared network resources on the Admins domain.

---

Creating A Trust Relationship

Creating a trust relationship is performed using User Manager For Domains. Creating the trust relationship requires that you have physical access and administrative accounts to controllers on both domains, or that you have two administrators (one on each domain) to configure the trust relationship. Then, setting up a one-way trust relationship requires that you perform two series of steps. First, on the local domain (or the domain to be trusted by the foreign domain), perform Steps 1 through 8.

1.  Launch User Manager For Domains, which is located in your Administrative Tools group.

2.  Select Trust Relationships from the Policies menu.

3.  Click the Add button next to the Trusting Domains list box.
The Add Trusting Domain dialog box should appear.

4.  Enter the domain name of the foreign domain in the Trusting Domain field.

5.  Enter a password in the Initial Password field.

6.  Reenter the password in the Confirm Password field.

7.  Click the OK button, and the domain should now be listed in the Trusting Domains list box in the Trust Relationships dialog box.

8.  Click OK to close the Trust Relationships dialog box and return to User Manager For Domains.
Now on the foreign domain (or the domain that will trust your domain), execute the remaining steps.

9.  Launch User Manager For Domains.

10.  Select Trust Relationships from the Policies menu.

11.  Click the Add button next to the Trusted Domains list box.
The Add Trusting Domain dialog box should appear.

12.  Enter the domain name of the local domain in the Domain field. This is the name of the domain where you created the trust relationship in the previous series of Steps 1 through 8.

13.  Enter the password for the trust relationship you created in the previous series of Steps 4 through 5 in the Password field.

14.  Click OK.
If the trust relationship was successfully created you will be greeted with a message box informing you of its success, and the domain should now be listed in the Trusted Domains list box in the Trust Relationships dialog box.

15.  Click OK to close the Trust Relationships dialog box and return to User Manager For Domains.

Once a trust relationship has been set up, the two domains will choose another password. This means that if you break the trust relationship, you will have to remove the entries on both domains and establish a new trust relationship (by repeating the steps presented in this sidebar on both computers). To create a two-way trust relationship, repeat the steps twice, but reverse the local and foreign domain steps on the second pass-through.

---