What are the kinds of trusts and the differences?
There are two kinds of trusts available to you when using the NETID domain:
- A One-Way Forest Trust
- A One-Way Domain Trust
Both types of trusts will allow you to utilize NETID user accounts. There are some important differences that you will need to be aware of and take in account before making your decision:
Domain Trust | Forest Trust | |
The single trusting domain | Trust Boundaries | Entire forest |
NTLMv2 only (NTLMv1 and LanMan are prohibited) |
Authentication Protocols | Kerberos and NTLMv2 (NTLMv1 and LanMan are prohibited) |
Windows 2000 Mixed Mode (any mode, really) |
Minimum Forest/Domain Functional Level |
Entire forest must be at Windows Server 2003 Native |
Traditional DOMAIN\username | User Name Conventions | Traditional DOMAIN\username or Kerberos-style user@netid.washington.edu format |
Any domain location | Domain Location in the Forest |
Forest root domains only |
In your internal planning, you should take these six differences into account and carefully consider how they affect your environment. No matter which you choose, each will impact your environment differently. Seasoned Windows system administrators are probably more comfortable with the traditional DOMAIN\username-style of expressing a user account in an access control list (ACL) – yet, security professionals would strongly encourage the use of Kerberos as an authentication protocol because of its built-in mechanisms to safeguard against common attacks. If you have a lot of legacy systems (mainframes, Windows NT or 9x systems), you may be locked into using a domain trust because most of these legacy systems don’t support Kerberos.