TrustsConcepts

Trusts provide a mechanism for users in one domain to access resources in other domains. Active Directory supports several kinds of trusts, as described in the following sections.

Transitive Trust

Two-way transitive trusts are automatically created when new child domains are added to an existing tree or when a new root domain is added to an existing forest to form a new tree. Transitive means that downstream trusted domains can be trusted over the trustfor example, if A trusts B and B trusts C, then A trusts C if all trusts are transitive. Transitive trusts require no maintenance or configuration and allow users to be authenticated by domain controllers in any domain in the forest. Transitive trusts operate using the Kerberos v5 authentication protocol.

External Trust

Also called a one-way trust, this type of trust is unidirectional and nontransitive (similar to NT) and must be explicitly created using the Active Directory Domains and Trusts console. In an external trust, the trusting domain trusts the trusted domain, and users in the trusted domain can access resources in the trusting domain, provided they have suitable permissions assigned for the resources they are trying to access. You can explicitly establish an external trust between a WS2003 domain and another WS2003 domain, a W2K domain, or an NT domain. You can also create a nontransitive two-way trust by creating two one-way trusts in opposite directions between two domains.

External trusts are typically used:

• To establish an explicit trust between a WS2003 or W2K domain and a legacy NT domain

• To establish an explicit trust between two WS2003 or W2K domains in different forests

Cross-Link Trust

Also called shortcut trusts, these are simply external trusts created to shorten the trust path between two domains in a forest when the users in one or both of these domains frequently need to access the resources in the other domain. By creating a shortcut trust between two domains in a forest, the Kerberos authentication process by which users are granted access to resources in different domains is considerably shortened in terms of the number of domains it must traverse, reducing authentication traffic and speeding up the interdomain authentication process for users.

Forest Trust

New to WS2003 is the forest trust (also called cross-forest trust), which is available only for forests that are configured at the WS2003 forest functional level. Forest trusts allow users in one forest to access resources in another forest using either Kerberos or NTLM authentication. Forest trusts are transitive trusts that can be created manually between the forest root domains of two forests and add additional flexibility to planning an Active Directory implementation by providing enterprises with more options for upgrading their NT or W2K domains to WS2003.

Forest trusts are external trusts created between the forest root domains of two forests. Note that forest trusts work only between two forestsin other words, if a forest trust between forests A and B is created and then one is created between forests B and C, there is no implicit forest trust between forest A and C. In other words, the transitivity of forest trusts is valid only within the two forests connected by the trust.