信任关系如何作用于 Azure Active Directory 域服务中的资源林How trust relationships work for resource forests in Azure Active Directory Domain Services

Active Directory 域服务 (AD DS) 通过域和林信任关系提供跨多个域或林的安全性。Active Directory Domain Services (AD DS) provides security across multiple domains or forests through domain and forest trust relationships. 跨信任进行身份验证之前,Windows 必须首先检查用户、计算机或服务请求的域与请求帐户的域之间是否存在信任关系。Before authentication can occur across trusts, Windows must first check if the domain being requested by a user, computer, or service has a trust relationship with the domain of the requesting account.

为检查这种信任关系,Windows 安全系统将计算接收请求的服务器的域控制器 (DC) 和请求帐户的域中的 DC 之间的信任路径。To check for this trust relationship, the Windows security system computes a trust path between the domain controller (DC) for the server that receives the request and a DC in the domain of the requesting account.

AD DS 和 Windows 分布式安全模型提供的访问控制机制为域和林信任的操作提供了环境。The access control mechanisms provided by AD DS and the Windows distributed security model provide an environment for the operation of domain and forest trusts. 要使这些信任能够正常发挥作用,每项资源或每台计算机都必须对其所在域中的 DC 具有直接信任路径。For these trusts to work properly, every resource or computer must have a direct trust path to a DC in the domain in which it is located.

Net Logon 服务使用经过身份验证的远程过程调用 (RPC) 与受信任的域颁发机构的连接来实现此信任路径。The trust path is implemented by the Net Logon service using an authenticated remote procedure call (RPC) connection to the trusted domain authority. 安全通道还通过域间信任关系扩展到其他 AD DS 域。A secured channel also extends to other AD DS domains through interdomain trust relationships. 此安全通道用于获取和验证安全信息,包括用户和组的安全标识符 (SID)。This secured channel is used to obtain and verify security information, including security identifiers (SIDs) for users and groups.

有关信任如何应用于 Azure AD DS 的概述,请参阅资源林概念和功能For an overview of how trusts apply to Azure AD DS, see Resource forest concepts and features.

若要在 Azure AD DS 中开始使用信任,请创建使用林信任的托管域To get started using trusts in Azure AD DS, create a managed domain that uses forest trusts.

信任关系流Trust relationship flows

信任间的安全通信流决定信任的弹性。The flow of secured communications over trusts determines the elasticity of a trust. 你如何创建或配置信任,决定这种通信在林中或林间扩展的范围。How you create or configure a trust determines how far the communication extends within or across forests.

信任之间的通信流取决于信任的方向。The flow of communication over trusts is determined by the direction of the trust. 信任可以是单向或双向的,可以是可传递或不可传递的。Trusts can be one-way or two-way, and can be transitive or non-transitive.

下图显示,默认情况下,树 1 和树 2 中的所有域之间具有可传递的信任关系。 The following diagram shows that all domains in Tree 1 and Tree 2 have transitive trust relationships by default. 因此,在资源处分配适当的权限时,树 1 中的用户可以访问树 2 所含域中的资源,且树 1 中的用户可以访问树 2 中的资源。 As a result, users in Tree 1 can access resources in domains in Tree 2 and users in Tree 1 can access resources in Tree 2, when the proper permissions are assigned at the resource.


单向和双向信任One-way and two-way trusts

允许访问资源的信任关系可以是单向或双向的。Trust relationships enable access to resources can be either one-way or two-way.

单向信任是在两个域之间创建的单向身份验证路径。A one-way trust is a unidirectional authentication path created between two domains. 在域 A 和域 B 的一种单向信任中,域 A 中的用户可以访问域 B 中的资源。 但是,域 B 中的用户无法访问域 A 中的资源。 In a one-way trust between Domain A and Domain B, users in Domain A can access resources in Domain B. However, users in Domain B can't access resources in Domain A.

某些单向信任可以是不可传递的,也可以是可传递的,具体取决于所创建的信任类型。Some one-way trusts can be either non-transitive or transitive depending on the type of trust being created.

在双向信任中,域 A 信任域 B,域 B 也信任域 A。 此配置表示两个域之间可以相互传递身份验证请求。In a two-way trust, Domain A trusts Domain B and Domain B trusts Domain A. This configuration means that authentication requests can be passed between the two domains in both directions. 某些双向信任关系可以是不可传递的,也可以是可传递的,具体取决于所创建的信任类型。Some two-way relationships can be non-transitive or transitive depending on the type of trust being created.

AD DS 林中的所有域信任都是双向可传递信任。All domain trusts in an AD DS forest are two-way, transitive trusts. 创建新的子域时,将在新子域和父域之间自动创建双向可传递信任。When a new child domain is created, a two-way, transitive trust is automatically created between the new child domain and the parent domain.

可传递和不可传递信任Transitive and non-transitive trusts

传递性决定可否将信任扩展到构成该信任的两个域之外。Transitivity determines whether a trust can be extended outside of the two domains with which it was formed.

  • 可以使用可传递信任扩展与其他域的信任关系。A transitive trust can be used to extend trust relationships with other domains.
  • 可以使用不可传递信任拒绝与其他域的信任关系。A non-transitive trust can be used to deny trust relationships with other domains.

每次在林中创建新域时,都会在新域及其父域之间自动创建双向可传递信任关系。Each time you create a new domain in a forest, a two-way, transitive trust relationship is automatically created between the new domain and its parent domain. 如果将子域添加到新域,则信任路径将向上流经域层次结构,扩展在该新域及其父域之间创建的初始信任路径。If child domains are added to the new domain, the trust path flows upward through the domain hierarchy extending the initial trust path created between the new domain and its parent domain. 传递信任关系形成时会在域树中向上流动,在域树中的所有域之间创建可传递信任。Transitive trust relationships flow upward through a domain tree as it is formed, creating transitive trusts between all domains in the domain tree.

身份验证请求沿这些信任路径传递,因此来自林中任何域的帐户都可以通过该林中其他任何域的身份验证。Authentication requests follow these trust paths, so accounts from any domain in the forest can be authenticated by any other domain in the forest. 通过单一登录过程,具有适当权限的帐户可以访问林中任何域中的资源。With a single sign in process, accounts with the proper permissions can access resources in any domain in the forest.

林信任Forest trusts

林信任可以帮助管理分段 AD DS 基础结构,并支持访问多个林中的资源和其他对象。Forest trusts help you to manage a segmented AD DS infrastructures and support access to resources and other objects across multiple forests. 林信任适用于服务提供商、正在进行合并或收购的公司、协作业务 Extranet 和寻求管理自治解决方案的公司。Forest trusts are useful for service providers, companies undergoing mergers or acquisitions, collaborative business extranets, and companies seeking a solution for administrative autonomy.

使用林信任,可以链接两个不同的林,形成单向或双向可传递信任关系。Using forest trusts, you can link two different forests to form a one-way or two-way transitive trust relationship. 使用林信任,管理员可以将通过单个信任关系连接两个 AD DS 林,以便提供跨林的无缝身份验证和授权体验。A forest trust allows administrators to connect two AD DS forests with a single trust relationship to provide a seamless authentication and authorization experience across the forests.

只能在一个林中的林根域和另一个林中的林根域之间创建林信任。A forest trust can only be created between a forest root domain in one forest and a forest root domain in another forest. 只能在两个林之间创建林信任,不能将其隐式扩展到第三个林。Forest trusts can only be created between two forests and can't be implicitly extended to a third forest. 此行为意味着,如果在林 1 和林 2 之间创建了林信任,又在林 2 和林 3 之间创建了另一个林信任,林 1 与林 3 之间不存在隐式信任。 This behavior means that if a forest trust is created between Forest 1 and Forest 2, and another forest trust is created between Forest 2 and Forest 3, Forest 1 doesn't have an implicit trust with Forest 3.

下图显示了一个组织中三个 AD DS 林之间两个单独的林信任关系。The following diagram shows two separate forest trust relationships between three AD DS forests in a single organization.


此示例配置提供以下访问权限:This example configuration provides the following access:

  • 林 2 中的用户可以访问林 1 或林 3 所含任何域中的资源 Users in Forest 2 can access resources in any domain in either Forest 1 or Forest 3
  • 林 3 中的用户可以访问林 2 所含任何域中的资源 Users in Forest 3 can access resources in any domain in Forest 2
  • 林 1 中的用户可以访问林 2 所含任何域中的资源 Users in Forest 1 can access resources in any domain in Forest 2

此配置不允许林 1 中的用户访问林 3 中的资源,反之亦然。 This configuration doesn't allow users in Forest 1 to access resources in Forest 3 or vice versa. 若要允许林 1 和林 3 中的用户共享资源,则必须在这两个林之间创建双向可传递信任。 To allow users in both Forest 1 and Forest 3 to share resources, a two-way transitive trust must be created between the two forests.

如果在两个林之间创建单向林信任,则受信任林的成员可以利用信任林中的资源。If a one-way forest trust is created between two forests, members of the trusted forest can utilize resources located in the trusting forest. 但是,信任只单向有效。However, the trust operates in only one direction.

例如,在林 1(受信任林)与林 2(信任林)之间创建单向林信任时: For example, when a one-way, forest trust is created between Forest 1 (the trusted forest) and Forest 2 (the trusting forest):

  • 林 1 的成员可以访问林 2 中的资源。 Members of Forest 1 can access resources located in Forest 2.
  • 林 2 的成员不能使用同一信任访问林 1 中的资源。 Members of Forest 2 can't access resources located in Forest 1 using the same trust.


Azure AD 域服务资源林仅支持对本地 Active Directory 的单向林信任。Azure AD Domain Services resource forest only supports a one-way forest trust to on-premises Active Directory.

林信任要求Forest trust requirements

需要确认你拥有正确的域名系统 (DNS) 基础结构,然后才能创建林信任。Before you can create a forest trust, you need to verify you have the correct Domain Name System (DNS) infrastructure in place. 仅当以下 DNS 配置之一可用时,才能创建林信任:Forest trusts can only be created when one of the following DNS configurations is available:

  • 有一个根 DNS 服务器是两个林 DNS 命名空间的根 DNS 服务器 - 根区域包含每个 DNS 命名空间的委派,所有 DNS 服务器的根提示都包括根 DNS 服务器。A single root DNS server is the root DNS server for both forest DNS namespaces - the root zone contains delegations for each of the DNS namespaces and the root hints of all DNS servers include the root DNS server.

  • 如果没有共享的根 DNS 服务器,并且每个林 DNS 命名空间中的根 DNS 服务器使用 DNS 条件转发器,让每个 DNS 命名空间路由对其他命名空间中名称的查询。When there is no shared root DNS server and the root DNS servers in each forest DNS namespace use DNS conditional forwarders for each DNS namespace to route queries for names in the other namespace.


    Azure AD 域服务资源林必须使用此 DNS 配置。Azure AD Domain Services resource forest must use this DNS configuration. 承载除资源林 DNS 命名空间之外的 DNS 命名空间不是 Azure AD 域服务的功能。Hosting a DNS namespace other than the resource forest DNS namespace is not a feature of Azure AD Domain Services. 条件转发器是正确的配置。Conditional forwarders is the proper configuration.

  • 如果没有共享的根 DNS 服务器,并且每个林 DNS 命名空间中的根 DNS 服务器使用 DNS 辅助区域,让每个 DNS 命名空间路由对其他命名空间中名称的查询。When there is no shared root DNS server and the root DNS servers in each forest DNS namespace are use DNS secondary zones are configured in each DNS namespace to route queries for names in the other namespace.

若要创建林信任,你必须是(林根域中的)“域管理员”组或 Active Directory 中的“企业管理员”组的成员。To create a forest trust, you must be a member of the Domain Admins group (in the forest root domain) or the Enterprise Admins group in Active Directory. 为每个信任分配一个密码,这两个林中的管理员都必须知道该密码。Each trust is assigned a password that the administrators in both forests must know. 两个林中的“企业管理员”成员可以同时在这两个林中创建信任,在这种情况下,会自动为这两个林生成并写入随机加密的密码。Members of Enterprise Admins in both forests can create the trusts in both forests at once and, in this scenario, a password that is cryptographically random is automatically generated and written for both forests.

在 Azure 门户中创建 Azure AD 域服务的出站林信任。The outbound forest trust for Azure AD Domain Services is created in the Azure portal. 不用手动创建与托管域本身的信任。You don't manually create the trust with the managed domain itself. 传入林信任必须由具有以前在本地 Active Directory 中记录的特权的用户配置。The incoming forest trust must be configured by a user with the privileges previously noted in the on-premises Active Directory.

信任进程和交互Trust processes and interactions

许多域间和林间事务依赖于域信任或林信任来完成各种任务。Many inter-domain and inter-forest transactions depend on domain or forest trusts in order to complete various tasks. 本部分介绍跨信任访问资源并评估身份验证引用时发生的过程和交互。This section describes the processes and interactions that occur as resources are accessed across trusts and authentication referrals are evaluated.

身份验证引用处理概述Overview of authentication referral processing

当身份验证请求被引用到域时,该域中的域控制器必须确定与请求来自的域之间是否存在信任关系。When a request for authentication is referred to a domain, the domain controller in that domain must determine whether a trust relationship exists with the domain from which the request comes. 在对用户进行身份验证以允许其访问域中的资源之前,还必须确定信任的方向以及信任是否可传递。The direction of the trust and whether the trust is transitive or nontransitive must also be determined before it authenticates the user to access resources in the domain. 根据所使用的身份验证协议,在受信任域之间发生的身份验证过程会有所不同。The authentication process that occurs between trusted domains varies according to the authentication protocol in use. Kerberos V5 和 NTLM 协议会以不同方式处理向域进行身份验证的引用The Kerberos V5 and NTLM protocols process referrals for authentication to a domain differently

Kerberos V5 引用处理Kerberos V5 referral processing

Kerberos V5 身份验证协议依赖于域控制器上的 Net Logon 服务来获取客户端身份验证和授权信息。The Kerberos V5 authentication protocol is dependent on the Net Logon service on domain controllers for client authentication and authorization information. Kerberos 协议连接到在线密钥发行中心 (KDC) 和 Active Directory 帐户存储以获取会话票证。The Kerberos protocol connects to an online Key Distribution Center (KDC) and the Active Directory account store for session tickets.

Kerberos 协议还使用信任,以实现跨领域票证授予服务 (TGS),并在受保护的通道中验证特权属性证书 (PAC)。The Kerberos protocol also uses trusts for cross-realm ticket-granting services (TGS) and to validate Privilege Attribute Certificates (PACs) across a secured channel. Kerberos 协议仅对非 Windows 品牌的操作系统 Kerberos 领域(如 MIT Kerberos 领域)执行跨领域身份验证,无需与 Net Logon 服务交互。The Kerberos protocol performs cross-realm authentication only with non-Windows-brand operating system Kerberos realms such as an MIT Kerberos realm and does not need to interact with the Net Logon service.

如果客户端使用 Kerberos V5 进行身份验证,它会请求从帐户域中域控制器到目标域中服务器的票证。If the client uses Kerberos V5 for authentication, it requests a ticket to the server in the target domain from a domain controller in its account domain. Kerberos KDC 充当客户端和服务器之间的受信任中介,并提供一个会话密钥,使双方彼此进行身份验证。The Kerberos KDC acts as a trusted intermediary between the client and server and provides a session key that enables the two parties to authenticate each other. 如果目标域不同于当前域,KDC 将遵循逻辑进程来确定是否可以引用身份验证请求:If the target domain is different from the current domain, the KDC follows a logical process to determine whether an authentication request can be referred:

  1. 被请求的服务器所在的域是否直接信任当前域?Is the current domain trusted directly by the domain of the server that is being requested?

    • 如果是,则向客户端发送对被请求域的引用。If yes, send the client a referral to the requested domain.
    • 如果不是,则转到下一步骤。If no, go to the next step.
  2. 当前域与信任路径上的下一个域之间是否存在可传递信任关系?Does a transitive trust relationship exist between the current domain and the next domain on the trust path?

    • 如果是,则向客户端发送对信任路径上的下一个域的引用。If yes, send the client a referral to the next domain on the trust path.
    • 如果不是,则向客户端发送拒绝登录消息。If no, send the client a sign-in denied message.

NTLM 引用处理NTLM referral processing

NTLM 身份验证协议依赖于域控制器上的 Net Logon 服务来获取客户端身份验证和授权信息。The NTLM authentication protocol is dependent on the Net Logon service on domain controllers for client authentication and authorization information. 此协议对不使用 Kerberos 身份验证的客户端进行身份验证。This protocol authenticates clients that do not use Kerberos authentication. NTLM 使用信任在域之间传递身份验证请求。NTLM uses trusts to pass authentication requests between domains.

如果客户端使用 NTLM 进行身份验证,则会直接从客户端向目标域中的资源服务器发送初始身份验证请求。If the client uses NTLM for authentication, the initial request for authentication goes directly from the client to the resource server in the target domain. 此服务器会创建质询待客户端响应。This server creates a challenge to which the client responds. 然后,服务器将用户的响应发送到其计算机帐户域中的域控制器。The server then sends the user's response to a domain controller in its computer account domain. 此域控制器会检查用户帐户是否在其安全帐户数据库中。This domain controller checks the user account against its security accounts database.

如果数据库中不存在该帐户,则域控制器将使用以下逻辑决定是执行直通身份验证、转发请求还是拒绝请求:If the account does not exist in the database, the domain controller determines whether to perform pass-through authentication, forward the request, or deny the request by using the following logic:

  1. 当前域与用户的域是否具有直接信任关系?Does the current domain have a direct trust relationship with the user's domain?

    • 如果是,则域控制器会将客户端的凭据发送到用户域中的域控制器,以进行直通身份验证。If yes, the domain controller sends the credentials of the client to a domain controller in the user's domain for pass-through authentication.
    • 如果不是,则转到下一步骤。If no, go to the next step.
  2. 当前域与用户的域是否具有可传递信任关系?Does the current domain have a transitive trust relationship with the user's domain?

    • 如果是,则将身份验证请求继续传递到信任路径中的下一个域。If yes, pass the authentication request on to the next domain in the trust path. 此域控制器将重复“检查用户的凭据是否在其安全帐户数据库中”这一过程。This domain controller repeats the process by checking the user's credentials against its own security accounts database.
    • 如果不是,则向客户端发送拒绝登录消息。If no, send the client a logon-denied message.

对于通过林信任实现身份验证的请求的基于 Kerberos 的处理Kerberos-based processing of authentication requests over forest trusts

当两个林通过林信任连接时,可以在林间路由使用 Kerberos V5 或 NTLM 协议发出的身份验证请求,以提供对这两个林中资源的访问权限。When two forests are connected by a forest trust, authentication requests made using the Kerberos V5 or NTLM protocols can be routed between forests to provide access to resources in both forests.

第一次建立林信任时,每个林都会收集其伙伴林中的所有受信任命名空间,并将信息存储在受信任的域对象中。When a forest trust is first established, each forest collects all of the trusted namespaces in its partner forest and stores the information in a trusted domain object. 受信任的命名空间包括在另一个林中使用的域树名称、用户主体名称 (UPN) 后缀、服务主体名称 (SPN) 后缀和安全 ID (SID) 命名空间。Trusted namespaces include domain tree names, user principal name (UPN) suffixes, service principal name (SPN) suffixes, and security ID (SID) namespaces used in the other forest. 会将 TDO 对象复制到全局目录。TDO objects are replicated to the global catalog.

必须先将资源计算机的服务主体名称 (SPN) 解析为另一个林中的位置,身份验证协议才能遵循林信任路径。Before authentication protocols can follow the forest trust path, the service principal name (SPN) of the resource computer must be resolved to a location in the other forest. SPN 可以是下列名称之一:An SPN can be one of the following names:

  • 主机的 DNS 名称。The DNS name of a host.
  • 域的 DNS 名称。The DNS name of a domain.
  • 服务连接点对象的可分辨名称。The distinguished name of a service connection point object.

当一个林中的工作站尝试访问另一个林中资源计算机上的数据时,Kerberos 身份验证过程会联系域控制器,以获取资源计算机 SPN 的服务票证。When a workstation in one forest attempts to access data on a resource computer in another forest, the Kerberos authentication process contacts the domain controller for a service ticket to the SPN of the resource computer. 一旦域控制器查询全局目录并确定该 SPN 与域控制器不在同一个林中,域控制器会将对其父域的引用发送回工作站。Once the domain controller queries the global catalog and determines that the SPN is not in the same forest as the domain controller, the domain controller sends a referral for its parent domain back to the workstation. 此时,工作站会查询该父域以获取服务票证,并沿引用链继续前进,直到到达资源所在的域。At that point, the workstation queries the parent domain for the service ticket and continues to follow the referral chain until it reaches the domain where the resource is located.

以下关系图和步骤详细描述了运行 Windows 的计算机尝试访问另一个林中的计算机时使用的 Kerberos 身份验证过程。The following diagram and steps provide a detailed description of the Kerberos authentication process that's used when computers running Windows attempt to access resources from a computer located in another forest.

林信任中 Kerberos 过程的示意图

  1. User1 使用来自 europe.tailspintoys.com 域的凭据登录到 Workstation1 。User1 signs in to Workstation1 using credentials from the europe.tailspintoys.com domain. 然后,该用户尝试访问 usa.wingtiptoys.com 林中 FileServer1 上的共享资源。 The user then attempts to access a shared resource on FileServer1 located in the usa.wingtiptoys.com forest.

  2. Workstation1 联系其域 ChildDC1 中域控制器上的 Kerberos KDC,并为 FileServer1 SPN 请求服务票证。 Workstation1 contacts the Kerberos KDC on a domain controller in its domain, ChildDC1, and requests a service ticket for the FileServer1 SPN.

  3. ChildDC1 在其域数据库中找不到该 SPN,并查询全局目录以了解 tailspintoys.com 林中是否有任何域包含此 SPN。 ChildDC1 does not find the SPN in its domain database and queries the global catalog to see if any domains in the tailspintoys.com forest contain this SPN. 由于全局目录仅限于其自己的林,因此未找到该 SPN。Because a global catalog is limited to its own forest, the SPN is not found.

    然后,全局目录将检查其数据库,查找与其林建立的任何林信任的相关信息。The global catalog then checks its database for information about any forest trusts that are established with its forest. 如果找到,它会将林信任受信任的域对象 (TDO) 中列出的名称后缀与目标 SPN 的后缀进行比较,以查找匹配项。If found, it compares the name suffixes listed in the forest trust trusted domain object (TDO) to the suffix of the target SPN to find a match. 找到匹配项后,全局目录会反过来向 ChildDC1 提供路由提示。Once a match is found, the global catalog provides a routing hint back to ChildDC1.

    路由提示有助于向目标林进行直接身份验证请求。Routing hints help direct authentication requests toward the destination forest. 仅当所有传统身份验证通道(例如本地域控制器和全局目录)都找不到 SPN 时才使用提示。Hints are only used when all traditional authentication channels, such as local domain controller and then global catalog, fail to locate an SPN.

  4. ChildDC1 反过来向 Workstation1 发送对其父域的引用。 ChildDC1 sends a referral for its parent domain back to Workstation1.

  5. Workstation1 联系 ForestRootDC1(其父域)中的域控制器,以获取对 wingtiptoys.com 林的林根域中域控制器 (ForestRootDC2) 的引用。 Workstation1 contacts a domain controller in ForestRootDC1 (its parent domain) for a referral to a domain controller (ForestRootDC2) in the forest root domain of the wingtiptoys.com forest.

  6. Workstation1 联系 wingtiptoys.com 林中的 ForestRootDC2,以获取用于所请求服务的服务票证。 Workstation1 contacts ForestRootDC2 in the wingtiptoys.com forest for a service ticket to the requested service.

  7. ForestRootDC2 联系其全局目录以查找 SPN,全局目录找到该 SPN 的匹配项并将其发送回 ForestRootDC2。 ForestRootDC2 contacts its global catalog to find the SPN, and the global catalog finds a match for the SPN and sends it back to ForestRootDC2.

  8. 然后,ForestRootDC2 将对 usa.wingtiptoys.com 的引用发送回 Workstation1。 ForestRootDC2 then sends the referral to usa.wingtiptoys.com back to Workstation1.

  9. Workstation1 联系 ChildDC2 上的 KDC,并协商 User1 的票证,以获得对 FileServer1 的访问权限。 Workstation1 contacts the KDC on ChildDC2 and negotiates the ticket for User1 to gain access to FileServer1.

  10. Workstation1 拥有服务票证后,它会将该服务票证发送到 FileServer1,后者会读取 User1 的安全凭据,并相应地构造一个访问令牌。 Once Workstation1 has a service ticket, it sends the service ticket to FileServer1, which reads User1's security credentials and constructs an access token accordingly.

受信任的域对象Trusted domain object

组织内的每个域或林信任均由存储在其域中的“系统”容器中的受信任域对象 (TDO) 表示。Each domain or forest trust within an organization is represented by a Trusted Domain Object (TDO) stored in the System container within its domain.

TDO 内容TDO contents

TDO 中包含的信息取决于 TDO 是由域信任还是林信任创建的。The information contained in a TDO varies depending on whether a TDO was created by a domain trust or by a forest trust.

创建域信任时,DNS 域名、域 SID、信任类型、信任传递性和互惠域名等属性将表示在 TDO 中。When a domain trust is created, attributes such as the DNS domain name, domain SID, trust type, trust transitivity, and the reciprocal domain name are represented in the TDO. 林信任 TDO 还存储其他属性,用于标识来自伙伴林的所有受信任的命名空间。Forest trust TDOs store additional attributes to identify all of the trusted namespaces from the partner forest. 这些属性包括域树名称、用户主体名称 (UPN) 后缀、服务主体名称 (SPN) 后缀和安全 ID (SID) 命名空间。These attributes include domain tree names, user principal name (UPN) suffixes, service principal name (SPN) suffixes, and security ID (SID) namespaces.

因为信任以 TDO 的形式存储在 Active Directory 中,所以林中的所有域都将了解整个林中存在的信任关系。Because trusts are stored in Active Directory as TDOs, all domains in a forest have knowledge of the trust relationships that are in place throughout the forest. 类似地,当两个或更多林通过林信任联接在一起时,每个林中的林根域都将了解受信任的林中所有域之间的信任关系。Similarly, when two or more forests are joined together through forest trusts, the forest root domains in each forest have knowledge of the trust relationships that are in place throughout all of the domains in trusted forests.

TDO 密码更改TDO password changes

信任关系中的两个域共享一个密码,该密码存储在 Active Directory 中的 TDO 对象内。Both domains in a trust relationship share a password, which is stored in the TDO object in Active Directory. 作为帐户维护过程的一部分,信任域控制器每 30 天会更改一次存储在 TDO 中的密码。As part of the account maintenance process, every 30 days the trusting domain controller changes the password stored in the TDO. 由于所有双向信任实际上都是两个相反方向的单向信任,因此该过程对于双向信任会发生两次。Because all two-way trusts are actually two one-way trusts going in opposite directions, the process occurs twice for two-way trusts.

信任具有信任和受信任端。A trust has a trusting and a trusted side. 在受信任端,任何可写域控制器都可用于此过程。On the trusted side, any writable domain controller can be used for the process. 在信任端,由 PDC 模拟器执行密码更改。On the trusting side, the PDC emulator performs the password change.

为更改密码,域控制器将完成以下过程:To change a password, the domain controllers complete the following process:

  1. 信任域中的主域控制器 (PDC) 仿真器创建新密码。The primary domain controller (PDC) emulator in the trusting domain creates a new password. 受信任域中的域控制器永远不会启动密码更改。A domain controller in the trusted domain never initiates the password change. 始终由信任域 PDC 仿真器启动。It's always initiated by the trusting domain PDC emulator.

  2. 信任域中的 PDC 仿真器将 TDO 对象的 OldPassword 字段设置为当前 NewPassword 字段。 The PDC emulator in the trusting domain sets the OldPassword field of the TDO object to the current NewPassword field.

  3. 信任域中的 PDC 仿真器将 TDO 对象的 NewPassword 字段设置为新密码。The PDC emulator in the trusting domain sets the NewPassword field of the TDO object to the new password. 保留以前密码的副本,以便在受信任的域中的域控制器无法接收更改时,或者在使用新信任密码发出请求之前未复制更改时,可以还原到旧密码。Keeping a copy of the previous password makes it possible to revert to the old password if the domain controller in the trusted domain fails to receive the change, or if the change is not replicated before a request is made that uses the new trust password.

  4. 信任域中的 PDC 仿真器对受信任的域中的域控制器进行远程调用,要求它将信任帐户的密码设置为新密码。The PDC emulator in the trusting domain makes a remote call to a domain controller in the trusted domain asking it to set the password on the trust account to the new password.

  5. 受信任的域中的域控制器将信任密码更改为新密码。The domain controller in the trusted domain changes the trust password to the new password.

  6. 在信任的双方,将更新复制到域中的其他域控制器。On each side of the trust, the updates are replicated to the other domain controllers in the domain. 在信任域中,更改将触发紧急复制受信任的域对象。In the trusting domain, the change triggers an urgent replication of the trusted domain object.

现在,这两个域控制器上都已更改密码。The password is now changed on both domain controllers. 正常复制将 TDO 对象分发到域中的其他域控制器。Normal replication distributes the TDO objects to the other domain controllers in the domain. 但是,信任域中的域控制器可能会更改密码而未成功更新受信任的域中的域控制器。However, it's possible for the domain controller in the trusting domain to change the password without successfully updating a domain controller in the trusted domain. 出现这种情况的原因可能是,无法建立处理密码更改所需的安全通道。This scenario might occur because a secured channel, which is required to process the password change, couldn't be established. 还可能是受信任的域中的域控制器在过程中的某个时间点不可用,因而无法接收更新的密码。It's also possible that the domain controller in the trusted domain might be unavailable at some point during the process and might not receive the updated password.

为处理密码更改未成功传递的情况,在使用新密码成功完成身份验证(设置安全通道)之前,信任域中的域控制器不会更改新密码。To deal with situations in which the password change isn't successfully communicated, the domain controller in the trusting domain never changes the new password unless it has successfully authenticated (set up a secured channel) using the new password. 此行为是将旧密码和新密码同时保存在信任域的 TDO 对象中的原因。This behavior is why both the old and new passwords are kept in the TDO object of the trusting domain.

直到使用密码的身份验证成功,密码更改才算完成。A password change isn't finalized until authentication using the password succeeds. 可通过受保护的通道使用已存储的旧密码,直到受信任的域中的域控制器收到新密码,从而实现不间断服务。The old, stored password can be used over the secured channel until the domain controller in the trusted domain receives the new password, thus enabling uninterrupted service.

如果使用新密码进行的身份验证由于密码无效而失败,则信任域控制器会尝试使用旧密码进行身份验证。If authentication using the new password fails because the password is invalid, the trusting domain controller tries to authenticate using the old password. 如果它通过旧密码成功完成身份验证,它将在 15 分钟内继续密码更改过程。If it authenticates successfully with the old password, it resumes the password change process within 15 minutes.

信任密码更新需要在 30 天内复制到信任双方的域控制器。Trust password updates need to replicate to the domain controllers of both sides of the trust within 30 days. 如果在 30 天后更改了信任密码,并且域控制器只拥有 N-2 密码,则它不能在信任端使用信任,也不能在受信任端创建安全通道。If the trust password is changed after 30 days and a domain controller only has the N-2 password, it cannot use the trust from the trusting side and cannot create a secure channel on the trusted side.

信任使用的网络端口Network ports used by trusts

因为必须跨各种网络边界部署信任,所以信任可能必须跨越一个或多个防火墙。Because trusts must be deployed across various network boundaries, they might have to span one or more firewalls. 如果是这种情况,可以将信任流量隧道传输过防火墙,或在防火墙中打开特定端口以允许流量通过。When this is the case, you can either tunnel trust traffic across a firewall or open specific ports in the firewall to allow the traffic to pass through.


Active Directory 域服务不支持将 Active Directory RPC 流量限制于特定端口。Active Directory Domain Services does not support restricting Active Directory RPC traffic to specific ports.

请参阅 Microsoft 支持文章如何为 Active Directory 域和信任配置防火墙的“Windows Server 2008 及更高版本”部分,了解林信任所需的端口。Read the Windows Server 2008 and later versions section of the Microsoft Support Article How to configure a firewall for Active Directory domains and trusts to learn about the ports needed for a forest trust.

支持服务和工具Supporting services and tools

为支持信任和身份验证,使用了一些额外的功能和管理工具。To support trusts and authentication, some additional features and management tools are used.

Net LogonNet Logon

Net Logon 服务维护从基于 Windows 的计算机到 DC 的安全通道。The Net Logon service maintains a secured channel from a Windows-based computer to a DC. 以下信任相关过程中使用也会用到该服务:It's also used in the following trust-related processes:

  • 信任设置和管理 - Net Logon 有助于维护信任密码、收集信任信息,以及通过与 LSA 进程和 TDO 交互来验证信任。Trust setup and management - Net Logon helps maintain trust passwords, gathers trust information, and verifies trusts by interacting with the LSA process and the TDO.

    对于林信任,信任信息包括林信任信息 (FTInfo) 记录,其中包含受信任的林声明要管理的命名空间集,使用指示每个声明是否受信任林信任的字段进行批注。For Forest trusts, the trust information includes the Forest Trust Information (FTInfo) record, which includes the set of namespaces that a trusted forest claims to manage, annotated with a field that indicates whether each claim is trusted by the trusting forest.

  • 身份验证 - 通过受保护的通道向域控制器提供用户凭据,并返回用户的域 SID 和用户权限。Authentication - Supplies user credentials over a secured channel to a domain controller and returns the domain SIDs and user rights for the user.

  • 域控制器位置 - 帮助在域中或域间查找或定位域控制器。Domain controller location - Helps with finding or locating domain controllers in a domain or across domains.

  • 直通验证 - 由 Net Logon 处理其他域中用户的凭据。Pass-through validation - Credentials of users in other domains are processed by Net Logon. 当信任域需要验证用户的身份时,它会将用户的凭据通过 Net Logon 传递到受信任的域进行验证。When a trusting domain needs to verify the identity of a user, it passes the user's credentials through Net Logon to the trusted domain for verification.

  • 特权属性证书 (PAC) 验证 - 当使用 Kerberos 协议进行身份验证的服务器需要验证服务票证中的 PAC 时,它会通过安全通道将该 PAC 发送到其域控制器以进行验证。Privilege Attribute Certificate (PAC) verification - When a server using the Kerberos protocol for authentication needs to verify the PAC in a service ticket, it sends the PAC across the secure channel to its domain controller for verification.

本地安全机构Local Security Authority

本地安全机构 (LSA) 是一个受保护的子系统,用于维护有关系统上本地安全的各方面的信息。The Local Security Authority (LSA) is a protected subsystem that maintains information about all aspects of local security on a system. LSA 提供用于在名称和标识符之间进行转换的各种服务,统称本地安全策略。Collectively known as local security policy, the LSA provides various services for translation between names and identifiers.

LSA 安全子系统在内核模式和用户模式下提供服务,用于验证对对象的访问权限、检查用户权限以及生成审核消息。The LSA security subsystem provides services in both kernel mode and user mode for validating access to objects, checking user privileges, and generating audit messages. LSA 负责检查受信任或不受信任的域中的服务提供的所有会话票证的有效性。LSA is responsible for checking the validity of all session tickets presented by services in trusted or untrusted domains.

管理工具Management tools

管理员可以使用 Active Directory 域和信任、Netdom 和 Nltest 来公开、创建、删除或修改信任。 Administrators can use Active Directory Domains and Trusts, Netdom and Nltest to expose, create, remove, or modify trusts.

  • Active Directory 域和信任是一个 Microsoft 管理控制台 (MMC),用于管理域信任、域和林功能级别以及用户主体名称后缀。Active Directory Domains and Trusts is the Microsoft Management Console (MMC) that is used to administer domain trusts, domain and forest functional levels, and user principal name suffixes.
  • Netdom 和 Nltest 命令行工具可用于查找、显示、创建和管理信任。 The Netdom and Nltest command-line tools can be used to find, display, create, and manage trusts. 这些工具直接与域控制器上的 LSA 机构通信。These tools communicate directly with the LSA authority on a domain controller.

后续步骤Next steps

若要了解有关资源林的详细信息,请参阅林信任如何在 Azure AD DS 中发挥作用?To learn more about resource forests, see How do forest trusts work in Azure AD DS?

若要开始使用资源林创建托管域,请参阅创建和配置 Azure AD DS 托管域To get started with creating a managed domain with a resource forest, see Create and configure an Azure AD DS managed domain. 随后可以创建到本地域的出站林信任You can then Create an outbound forest trust to an on-premises domain.