IT Connect

Information technology tools and resources at the UW

Trust Types

What are the kinds of trusts and the differences?

There are two kinds of trusts available to you when using the NETID domain:

  1. A One-Way Forest Trust
  2. A One-Way Domain Trust

Both types of trusts will allow you to utilize NETID user accounts. There are some important differences that you will need to be aware of and take in account before making your decision:

 

Domain Trust Forest Trust
The single trusting domain Trust Boundaries Entire forest
NTLMv2 only
(NTLMv1 and LanMan are prohibited)
Authentication Protocols Kerberos and NTLMv2
(NTLMv1 and LanMan are prohibited)
Windows 2000 Mixed Mode
(any mode, really)
Minimum Forest/Domain
Functional Level
Entire forest must be at
Windows Server 2003 Native
Traditional DOMAIN\username User Name Conventions Traditional DOMAIN\username or
Kerberos-style user@netid.washington.edu format
Any domain location Domain Location
in the Forest
Forest root domains only

In your internal planning, you should take these six differences into account and carefully consider how they affect your environment. No matter which you choose, each will impact your environment differently. Seasoned Windows system administrators are probably more comfortable with the traditional DOMAIN\username-style of expressing a user account in an access control list (ACL) – yet, security professionals would strongly encourage the use of Kerberos as an authentication protocol because of its built-in mechanisms to safeguard against common attacks. If you have a lot of legacy systems (mainframes, Windows NT or 9x systems), you may be locked into using a domain trust because most of these legacy systems don’t support Kerberos.