Active Directory Trusts

A trust relationship is a logical relationship established between two domains which allows authentication. There are two domains in a trust relationship – the trusting and the trusted.

Use the buttons below to navigate through the lesson


In the diagram the trusting domain (es-net.co.uk) honours the logon authentication of the trusted (other.com) domain. Therefore users in the other.com domain can access resources from the es-net.co.uk domain. Trusts can either be transitive, one-way or two-way. In a two-way trust both domains will honour each others logon authentication. Trusts can either be created manually or automatically, however this all depends on the systems used by the trust relationships.

All Domains within an Active Directory forest trust each other by default, however trusts can be setup manually between Domains in different forests. All trusts within an Windows 2000/2003/2008 Active Directory forest are transitive by default. In Windows 2000 trusts between separate forests cannot be transitive. In the diagram, the “Es-net” network has a two-way trust with the “OtherCompany” network. This trust will enable users in both domains to authenticate with each other even though both are in separate forests.

Legacy Windows NT 4.0 Domains cannot use transitive trusts, therefore trusts have to be setup manually between every single domain within the  organization. Within large Windows NT 4.0 networks trusts become extremely difficult to manage. However because of the transitive nature of Windows 2000 trusts, trusts are much easier to manage. Only 3 trusts are now needed because all of the trusts are transitive.

Because Domain A trusts Domain C, and Domain D trusts Domain B which in turn trusts A, Domain D also trusts Domain C. The downside to Windows 2000 trusts are that trusts between Domains in separate forests are not transitive. Therefore in the above configuration every domain would need to be configured. Windows Server 2003/2008 supports cross-forest transitive trusts. This allows every domain in one forest to trust every domain in another by simply creating a forest trust. However the trust is only transitive between two forests. Only two forests are allowed, because if all trusts were transitive, then if company A’s network had a trust with Company B’s network and Company B’s network had a trust with Company C’s network (who had no business with Company A) then users in company C’s network could access resources in company A’s.

There are several different types of trusts in Windows Server 2003/2008. These are listed below:

Shortcut trust:  A shortcut trust is used to improve user logon times between two domains which are logically distant from each other in the Active Directory hierarchy. This trust is created manually and is transitive. It can also be either one-way or two-way.

External trust:  An external trust is a trust created manually between domains in two separate forests or between a Windows Server 2008 domain and a domain running Windows NT 4.0 or earlier. External trusts are not transitive and can be either one-way or two-way.

Realm trust: A realm trust is a trust created manually between a Windows Server 2008 domain and domain running a non-Microsoft implementation of Kerberos, e.g. UNIX. This trust can be either transitive, non-transitive, one-way or two-way.

Tree-root trust: A tree-root trust is created automatically between a new tree and its root domain. This trust is transitive and two-way by default.

Parent-child trust: A parent-child trust is created automatically between a child and its parent domain. This trust is transitive and two-way by default.

Forest trust: A forest trust is created manually between two Windows Server 2008 forests. The trust allows all domains in one forest to trust all domains in another forest, however a forest trust is not transitive across three or more forests. This trust can be either one-way or two way. Both forests must also be configured at the Windows Server 2003 functional level.

As well as manually creating trusts you can also configure the scope of authentication between two domains. You can either allow domain-wide authentication where every computer in the domain is trusted, or you can use selective authentication where only a selected number of computers are trusted. If you apply selective authentication to a trust, then you will need to manually configure which users in the trusted domain can authenticate with specific computers in the trusting domain. Each user or group can be added to the relevant computers’ Access Control Lists, which can be configured with the “Allowed to Authenticate” permission.