Tree-root trust and Parent-child trust is implicitly created by Active Directory when new domains are created. What this means is that you do not need to explicitly create these trusts, nor do you have to perform any configuration or management tasks for the trust relationships.
Shortcut trust, Realm trust, External trust and Forest trust differ to Tree-root and Parent-child trust, in that the former four trusts have to be explicitly created and managed. Because of the different types of trust relationships that can be created, you need to plan which type of trust relationship to create for the domains within your Active Directory environment.
Before you can create any shortcut trusts, you must be a member of the Enterprise Admin or Domain Admin groups in each domain in the forest. Another requirement is that the domains you are creating shortcut trust for, are Windows Server 2003 domains that reside in the same forest. As mentioned earlier, Shortcut trust is usually created to speed up authentication between two domains in different trees but within the same forest.
Shortcut trust can be one-way transitive trust, or two-way transitive trust. What shortcut trust essentially does is it shortens the trust path traversed for authentication requests made between domains of different trees. Shortcut trust is typically configured in an intricate forest where users continually need to access resources of domains belonging to different trees. Shortcut trust improves query response performance as well.
· You would need to create one-way shortcut trust when the optimized tust path is only needed for one of the domains in the trust. The other domain's users would need to transverse the full trust path when handling authentication requests.
You would need to create two-way shortcut trust when the users in each domain need to use the shortened trust path for authentication requests.
The Active Directory tool that you use to create shortcut trust is the Active Directory Domains and Trusts console. The console enables you to specify selective authentication for incoming shortcut trust and outgoing shortcut trust. What this means is that you can set authentication differently for the two forms of trust. When you set selective authentication for incoming shortcut trust, you would need to specify permissions for every resource that users in the other domain should be able to access. If domain wide authentication is specified on the incoming shortcut trust, users in the other domain and users in the local domain have the identical permissions to network resources.
In order to create realm trust, you should have Enterprise Admin or Domain Admin permissions for the Windows Server 2003 domain, and you should have the permissions required for the non-Windows Kerberos version 5 realm. You would typically create realm trust to enable trust between a Windows Server 2003 domain and a MIT or UNIX v5 Kerberos realm. You can create Realm trust as either transitive or nontransitive trust, and as either be one-way trust or two-way.
You need to be a member of Enterprise Admins or Domain Admins of the Windows Server 2003 domain and you need to be a member Enterprise Admins or Domain Admins of the other domain, to create one-way External trust or two-way External trust.
Recall from an earlier discussion, that External trust is always nontransitive in nature, and is typically used to enable trust between an Active Directory domain and a down-level Windows NT 4 domain. When the External trust is created, security principals (Users, Groups, Computers) from the external domain are able to access network resources in the internal domain (Windows Server 2003 domain). The foreign security principals can be examined in the Active Directory Users And Computers console. The only requirement is that Advanced Features are enabled. You can explicitly define different authentication for incoming External trusts and outgoing External trusts.
You need to belong to the Enterprise Admins groups in each forest that you want to create forest trust between. In addition to this, the domains within each forest and each particular forest have to be raised to the Windows Server 2003 functional level.
Forest trust is typically created when enterprises merge or takeovers occur, and each company within the enterprise still needs to maintain some form of administrative independence. This trust relationship enables users to access Active Directory objects between all domains impacted by the particular forest trust relationship. Forest trust is transitive, and can be one-way or two-way trust. You would create one-way Forest trusts when users in the trusted forest need to access Active Directory objects in the trusting forest, but those users in the trusting forest do not need to access resources in the trusted forest. You would create two-way Forest trust in cases where users in either one of the forests need to access resources hosted in the other forest.