How To: Work With Trusts 

The following classes and enumerations are used with Active Directory trusts.

• Forest

• Domain

• TrustRelationshipInformation

• TrustRelationshipInformationCollection

• ForestTrustCollisionType

• ForestTrustDomainStatus

• TrustDirection

• TrustType

The following sections show how to use the System.DirectoryServices.ActiveDirectory namespace to work with Active Directory trusts.

• How To: Work With Trusts

• How To: Work With Trusts

• How To: Work With Trusts

• How To: Work With Trusts

• How To: Work With Trusts

• How To: Work With Trusts

• How To: Work With Trusts

Trust Direction

The trust direction is represented by the members of the TrustDirection enumeration. The direction of a trust is always relative to a single side of a trust. For example, if domain A has an inbound trust relationship with domain B, domain B has an outbound trust with domain A.

Creating a Trust

Creating a trust is a two-step process. The normal sequence of events is for one side of a trust relationship to be created and then the other side of the trust to be created. Once both sides of the trust have been created, the trust is established. Each side of the trust relationship requires the same password when the side is created.

For domain trusts, the CreateTrustRelationship method is used to programmatically create both sides of a trust relationship with a single method call. This method will create and use a password to establish the trust. The CreateTrustRelationship method is used to perform the same action for forest trusts.

The CreateLocalSideOfTrustRelationship method is used to create just one side of a domain trust relationship. The caller must provide the same password to the call on both sides of the trust to establish the trust. This password is only used for creation of the trust and has no relation to any account password. The trust direction must be correct in both calls for this method to succeed. This method is useful when one side of a trust is created programmatically and the other side is created manually. This method can also be used to programmatically create the two sides of the trust at different times. The CreateLocalSideOfTrustRelationship method is used to perform the same action for forest trusts.

Obtaining Information about a Trust

For domain trusts, the GetTrustRelationship method is used to obtain a TrustRelationshipInformation object that represents a trust between two domains. The GetAllTrustRelationships method is used to obtain a TrustRelationshipInformationCollection object that contains all trusts that the domain has established. The GetTrustRelationship and GetAllTrustRelationships methods are used to perform the same actions for forest trusts.

Verifying a Trust

For domain trusts, the VerifyTrustRelationship and VerifyOutBoundTrustRelationship methods are used to verify that an existing trust between two domains is valid. The VerifyOutBoundTrustRelationship method is used to verify an outbound trust only and the VerifyOutBoundTrustRelationship method can be used to verify any type of trust. The VerifyTrustRelationship and VerifyOutBoundTrustRelationship methods are used to perform the same actions for forest trusts. All of these methods will throw an ActiveDirectoryObjectNotFoundException exception if the existing trust cannot be verified.

The following C# example shows how to enumerate the trusts for a domain and verify that each trust has been fully established.

static void EnumAndVerifyDomainTrusts(
    Domain domain, 
    NetworkCredential targetCredentials)
{
    TrustRelationshipInformationCollection trusts;
    trusts = domain.GetAllTrustRelationships();

    foreach (TrustRelationshipInformation trust in trusts)
    {
        Console.WriteLine(
            String.Format("Trust between {0} and {1}:",
            trust.SourceName,
            trust.TargetName));
        
        Console.WriteLine(
            String.Format("\tTrust type: {0}",
            trust.TrustType.ToString()));
        
        Console.WriteLine(
            String.Format("\tTrust direction: {0}",
            trust.TrustDirection.ToString()));

        // Verify that the trust has been fully established.
        DirectoryContext context = new DirectoryContext(
            DirectoryContextType.Domain,
            trust.TargetName, 
            targetCredentials.UserName,
            targetCredentials.Password);
        Domain targetDomain = Domain.GetDomain(context);
        Console.WriteLine(targetDomain.Name);

        try
        {
            domain.VerifyTrustRelationship(
                targetDomain, 
                trust.TrustDirection);

            Console.WriteLine("Trust verified.");
        }
        catch (ActiveDirectoryObjectNotFoundException)
        {
            // The trust was not verified.
            Console.WriteLine("Trust not verified.");
        }
    }
}

Deleting a Trust

Once one side of a trust relationship is deleted, the trust is no longer established. For domain trusts, the DeleteLocalSideOfTrustRelationship method is used to delete a single side of a trust. The DeleteTrustRelationship method is used to delete both sides of a trust with a single method call. The DeleteLocalSideOfTrustRelationship and DeleteTrustRelationship methods are used to perform the same actions for forest trusts.

Selective Authentication

If you decide to set SetSelectiveAuthenticationStatus on an inbound forest trust, you must manually assign permissions on each domain and resource to which you want users in the second forest to have access. To do this, set the control access right Allowed to authenticate on an object for that particular user or group from the second forest.

When a user authenticates across a trust with the GetSelectiveAuthenticationStatus option enabled, an Other Organization security ID (SID) is added to the user's authorization data. The presence of this SID prompts a check on the resource domain to ensure that the user is allowed to authenticate to the particular service. Once the user is authenticated, then the server to which the user authenticates adds the This Organization SID if the Other Organization SID is not already present. Only one of these special SIDs can be present in an authenticated user's context.

SID Filtering

SID filtering allows an administrator to cause the domain controllers in a given domain to "quarantine" a trusted domain. This causes the domain controllers in the trusting domain to remove all SIDs that are not relative to the trusted domain from any authorization data that is received from that domain. Quarantining is performed from the trusting domain, and is done on a per-domain basis.

SID filtering blocks Windows 2000 transitive trust. If a quarantined domain is located in the trust path between two domains, users from domains on the other side of the quarantined domain cannot access resources in the quarantining domain. For this reason, quarantined domains should be leaf domains, their child domains should be only resource domains that contain no user accounts, or the quarantined domain should be in a separate forest.

A Windows 2000 administrator should not use the SID filtering feature to create a "restricted-access" domain within a forest. The recommended quarantine scenario is to quarantine only domains in separate forests. A trust should be established from the domain that is to be protected to the domain that is to be quarantined, and then the trusting domain should be configured to filter the SIDs from the trusted domain.