Shortcut trusts are transitive one-way or two-way trusts that can he used to optimize the authentication process between domains that are logically distant from each other. In Windows Server 2003, authentication requests must travel an established trust path between domain trees. A trust path is a series of trust relationships that must be traversed in order to pass authentication requests between any two domains. In a complex forest, following the trust path can take time and affect query response performance; each time clients are referred to another domain controller, the chances of a failure or of encountering a slow link are increased. Windows Server 2003 provides a means for improving query response performance through shortcut trusts. Shortcut trusts help to shorten the path traveled for authentication requests made between domains located in two separate trees.
Shortcut trusts can be created only between Windows Server 2003 domains in the same forest. Figure 4-16 illustrates a shortcut trust created to shorten the trust path and improve query response performance between Domain M and Domain P. If the shortcut trust were not created, the client in Domain M would have to "walk" the trust path through domains L, K, J, N, and O before being able to communicate with the domain controller in Domain P to verify the authentication request.
One-Way Shortcut Trusts A one-way shortcut trust established between two domains located in separate domain trees can reduce the time needed to fulfill authentication requests, but from only one direction. If a one-way shortcut trust is established between Domain M and Domain P, authentication requests made in Domain M to
Domain P can take full advantage of the new one-way trust path. However, when authentication requests from Domain P to Domain M are made, they cannot utilize the shortcut trust path that was created between Domain M and Domain P, and default to walking up the trust path hierarchy in order to find Domain M.
Two-Way Shortcut Trusts A two-way shortcut trust directly established between two domains located in separate domain trees can help optimize authentication requests made from users located in either domain. Therefore, authentication requests made from either Domain M to Domain P or from Domain P to Domain M can utilize the shortened shortcut trust path.
Accessing Resources Across Domains Joined by Shortcut Trust Using Active Directory Domains and Trusts, you can determine the scope of authentication between two domains that are joined by a shortcut trust. You can set selective authentication differently for outgoing and incoming shortcut trusts, which allows you to make flexible access control decisions between domains. You set selective authentication on the Outgoing Trust Authentication Level page when you set up a shortcut trust using the New Trust Wizard.
If you use domain-wide authentication on the incoming shortcut trust, users in the second domain have the same level of access to resources in the local domain as users who belong to the local domain. For example, if Domain A has an incoming shortcut trust from Domain B and domain-wide authentication is used, any user from Domain B can access any resource in Domain A (assuming the user has the required permissions).
If you set selective authentication on an incoming shortcut trust, you need to manually assign permissions on each resource to which you want users in the second domain to have access. To do this, set an access control right Allowed To Authenticate on an object for that particular user or group from the second domain.