Home > Articles

  • Print
  • + Share This
This chapter is from the book

Domain Trusts

The trust structure that was developed in Windows 2000 and is subsequently used in Windows .NET Server 2003 has been streamlined in comparison to the Windows NT trust structure. Windows NT trusts utilized individual explicitly defined trusts for each organizational domain. This created an exponential trust relationship, which was difficult, to say the least, to manage. Windows 2000 took the trust relationship to a new level of functionality, with transitive trusts supplying automatic paths "up and down the tree." These trusts are implicitly easier to understand and troubleshoot, and have greatly improved the manageability of Windows networks. In addition, Windows .NET Server 2003 provides for additional functionality, such as cross-forest transitive trusts, which expands the capabilities of the NOS even further.

Transitive Trusts

Two-way transitive trusts are automatically established upon the creation of a subdomain or with the addition of a domain tree into an Active Directory forest. Transitive trusts are normally two way, with each domain trusting the other domain. In other words, users in each domain can access resources such as printers or servers in the other domain if they are explicitly given rights in those domains. Bear in mind that just because two domains have a trust relationship does not mean that users from one domain can automatically access all the resources in the other domain; it is simply the first step in accessing those resources. The proper permissions still need to be applied.

Explicit Trusts

Explicit trusts are those that are set up manually, similar to the way that Windows NT trusts were constructed. A trust may be set up to join two unrelated domain trees into the same forest, for example. Explicit trusts are one way, but two explicit trusts can be established to create a two-way trust. In Figure 4.6, an explicit trust has been established between the companyabc domain and the companyxyz domain to join them into the same forest structure.

Figure 4.6Figure 4.6 Sample explicit trust between two domain trees.

When an explicit trust is set up to expedite the flow of trusts from one subdomain to another, it is known as a shortcut trust. Shortcut trusts simply allow authentication verifications to be processed faster, as opposed to having to move up and down a domain tree. In Figure 4.7, while a transitive trust exists between the asia.companyabc.com and the europe.companyabc.com domains, a shortcut trust has been created to minimize authentication time for access between the two subdomains of this organization.

Figure 4.7Figure 4.7 Sample shortcut trust between two subdomains in a forest.

Another possible use for explicit trusts is to allow connectivity between an Active Directory forest and an external domain. These types of explicitly defined trusts are known as external trusts, and they allow different forests to share information without actually merging schema information or global catalogs.


The capability to establish cross-forest trusts in Windows 2000 was limited to explicit trusts that were defined between each domain that needed access to a forest. Windows .NET Server 2003 adds the capability to establish cross-forest transitive trusts, where the trust relationships flow through separate forests. This concept is explained in more detail in Chapter 5, "Designing a Windows .NET Server 2003 Active Directory."

  • + Share This
  • 🔖 Save To Your Account