What types of trust relationships does Windows Server 2003 support?
December 28, 2003
A. Windows 2003 supports six types of trusts (although the OS doesn't support all types for all forest modes):
Tree-root trust--Windows 2003 automatically creates a transitive, two-way trust when you add a new tree-root domain to an existing forest. Tree-root trusts let every domain in different trees in the same forest implicitly trust one another.
Parent-child trust--Windows 2003 automatically creates a transitive, two-way trust when you add a child domain to an existing domain. This trust lets every domain in a particular tree implicitly trust one another.
Shortcut trust--When domains that authenticate users are logically distant from one another, the process of logging on to the network can take a long time. You can manually add a shortcut trust between two domains in the same forest to speed authentication. Shortcut trusts are transitive and can either be one way or two way.
External trust--Administrators can manually create an external trust between domains in different forests or from a Windows 2003 domain to a Windows NT 4.0 or earlier domain controller (DC). External trusts are nontransitive and can be one way or two way.
Forest trust--When two forests have a functional level of Windows 2003, you can use a forest trust to join the forests at the root. An administrator can manually create a two-way forest trust that lets all domains in both forests transitively trust each other. Forest trusts can also be one way, in which case the domains in only one of the forests would trust the domains in the other forest. Multiple forest trusts aren't transitive. Therefore, if forest A has a forest trust to forest B and forest B has a forest trust to forest C, forest A does not implicitly trust forest C.
Realm trust--An administrator can manually create a realm trust between a Windows 2003 domain and a non-Windows Kerberos 5 realm. Realm trusts can be transitive or nontransitive and one way or two way.
This figure shows two forests connected by a forest trust. In the first forest, a tree-root trust connects two separate trees and a parent-child trust connects each domain in each tree. Additionally, the figure shows a shortcut trust connecting two logically distant domains and an external trust connecting a Windows 2003 domain to an NT 4.0 domain.
About the Author
You May Also Like