Active Directory Domains and Kerberos Reals

Image credit: Microsoft

The following question is too vendor-specific; I don’t think it’s testable.

Kathleen needs to set up an Active Directory trust to allow authentication with an existing Kerberos K5 domain. What type of trust does she need to create?
A. A shortcut trust
B. A forest trust
C. An external trust
D. A realm trust

Kerberos uses realms, and the proper type of trust to set up for an Active Directory environment that needs to connect to a K5 domain is a realm trust.
– A shortcut trust is a transitive trust between parts of a domain tree or forest that shortens the trust path,
– a forest trust is a transitive trust between two forest root domains, and
– an external trust is a nontransitive trust between AD domains in separate forests.

Source: Online Test Bank of The Official CISSP Study Guide

Trust typeTransitivityDirectionDescription
ExternalNontransitiveOne-way or two-wayUse external trusts to provide access to resources located on a Windows NT 4.0 domain or a domain located in a separate forest that is not joined by a forest trust. For more information, see When to create an external trust.
RealmTransitive or nontransitiveOne-way or two-wayUse realm trusts to form a trust relationship between a non-Windows Kerberos realm and a Windows Server 2003 domain. For more information, see When to create a realm trust.
ForestTransitiveOne-way or two-wayUse forest trusts to share resources between forests. If a forest trust is a two-way trust, authentication requests made in either forest can reach the other forest. For more information, see When to create a forest trust.
ShortcutTransitiveOne-way or two-wayUse shortcut trusts to improve user logon times between two domains within a Windows Server 2003 forest. This is useful when two domains are separated by two domain trees. For more information, see When to create a shortcut trust.
Trust types (Source: Microsoft)


Leave a Reply