Forests and Trusts

Trust is a relationship between two domains or forests which allows trusted domain or forest to access resources in the other domain or forest.

Trust is automatically built or manually established.

One-way and two-way trusts

One Way

Trust relationships enable access to resources can be either one-way or two-way. A one-way trust is a unidirectional path between two domains.

For example In a one-way trust: Domain A <- Domain B

Users in Domain A can access resources in Domain B. However, users in Domain B can't access resources in Domain A.

Two Way

In a two-way trust, Domain A trusts Domain B and Domain B trusts Domain A.

Users in Domain A can access resources in Domain B and, users in Domain B can access resources in Domain A.

Transitive and non-transitive trusts

Transitivity determines whether a trust can be extended outside of the two domains with which it was formed.

• A transitive trust can be used to extend trust relationships with other domains.

• A non-transitive trust can be used to deny trust relationships with other domains.

Defaults

Parent-Child domains will be always two-way transitive.

Tree-Root will always be two way transitive.

default trust relationship flows

External Trusts

Trust between two domains in different forests when forests do not have a trust relationship. Can be one-way or two-way but can't be transitive.

Forest Trusts

Forest trusts are manually created between two root forests,.

Important: Forest trusts can only be created between two forests and can't be implicitly extended to a third forest.

This example configuration provides the following access:

• Users in Forest 2 can access resources in any domain in either Forest 1 or Forest 3

• Users in Forest 3 can access resources in any domain in Forest 2

• Users in Forest 1 can access resources in any domain in Forest 2

Enumeration

PowerView

Get a list of all domain trusts for the current domain

Get-DomainTrust
Get-DomainTrust -Domain us.dollarcorp.moneycorp.local

# External trusts
Get-DomainTrust | ?{$_.TrustAttributes -eq "FILTER_SIDS"}

Get details about the current forest

Get-Forest
Get-Forest -Forest eurocorp.local

Get all domains in the current forest

Get-ForestDomain
Get-ForestDomain -Forest eurocorp.local

Get all global catalogs for the current forest

Get-ForestGlobalCatalog
Get-ForestGlobalCatalog -Forest eurocorp.local

Map trusts of a forest

# External trusts in current forest
Get-ForestDomain | %{Get-DomainTrust -Domain $_.Name} | ?{$_.TrustAttributes -eq "FILTER_SIDS"}

Get-ForestTrust
Get-ForestTrust -Forest eurocorp.local

AD Module

Get a list of all domain trusts for the current domain

Get-ADTrust
Get-ADTrust -Identity us.dollarcorp.moneycorp.local

Get details about the current forest

Get-ADForest
Get-ADForest -Identity eurocorp.local

Get all domains in the current forest

(Get-ADForest).Domains

Get all global catalogs for the current forest

Get-ADForest | select -ExpandProperty GlobalCatalogs

Map trusts of a forest

Get-ADTrust -Filter 'msDS-TrustForestTrustInfo -ne "$null"'

References

• https://learn.microsoft.com/en-us/entra/identity/domain-services/concepts-forest-trust