Skip to content

Trusts && Forests

Trusts are relationships between two Active Directory domains that allow users from one domain to be authenticated by a domain controller in another domain. They act as "bridges" that enable resource sharing and cross-domain access across a forest or between different forests.

Trust Direction (One-way vs Two-way)

One-way trust: Unidirectional relationship. Users in the Trusted domain can access resources in the Trusting domain. The direction of trust is opposite to the direction of access.

Two-way trust: Bi-directional relationship. Users from both domains can access resources in each other's domain (subject to permissions).

trust oneway

trust bidireccional

Transitive Trust

Transitivity: Allows trust to extend beyond two domains. If A trusts B and B trusts C, then A automatically trusts C. All default intra-forest trusts are transitive.

trust transitive

Intra-Forest Trusts (Tree-Root & Parent-Child)

Tree-Root Trust: Connects the roots of different domain trees within the same forest.

Parent-Child Trust: Automatic trust created when a new child domain is added to a parent. It is transitive and two-way by default

trust root

External Trust (Cross-Forest)

External Trust: A manual, non-transitive trust between two specific domains in different forests. It does not allow access to other domains in the forest (no "multi-hop").

trust external

Forest Trust

Forest Trust: A transitive trust between two Forest Root domains. It allows any domain within Forest 1 to establish trust with any domain in Forest 2.

trust forest

Enumeration

# Enumerating trust relationships for the current domain and a specific target domain
Get-DomainTrust
Get-DomainTrust -Domain us.dollarcorp.moneycorp.local

# Retrieving forest metadata and configuration for the current and external forests
Get-Forest
Get-Forest -Forest eurocorp.local

# Listing all domains belonging to the current forest and the external forest
Get-ForestDomain
Get-ForestDomain -Forest eurocorp.local

# Identifying Global Catalog servers to locate cross-domain objects efficiently
Get-ForestGlobalCatalog
Get-ForestGlobalCatalog -Forest eurocorp.local

# Get details about the current forest
Get-ADForest

# Get details about a specific forest
Get-ADForest -Identity eurocorp.local

# Get all domains in the current forest
(Get-ADForest).Domains

# Get all global catalogs for the current forest
Get-ADForest | select -ExpandProperty GlobalCatalogs

# Map forest trusts (filter for trusts with Forest Trust Info)
Get-ADTrust -Filter 'msDS-TrustForestTrustInfo -ne "$null"'