20.1 What is a Trust?

A trust is used to allow users of one domain to access resources from another domain. By default, two-way, transitive trusts are automatically created when a new domain is created. For authentication and name lookups to work across domains, a trust relationship must be created between the domains. The trust relationship includes a shared secret that can be used for both Kerberos and NTLM authentication and information that is used to support name resolution.

DSfW supports the following cross-forest trusts:

  • External Trusts: These trusts are non-transitive trusts between two domains in different forests. They can be one-way or two-way. This type of trust is useful to allow resource sharing only between specific domains in different forests.

  • Forest Trusts: These trusts are transitive trusts between two forests. These trusts include complete trust relationships between all domains in the relevant forests, so resource sharing among all domains in the forests is allowed. The trust relationship can be either one-way or bidirectional.

    Both forests must be operating at the Windows Server 2003 forest functional level. By default, DSfW operates at this level. The use of forest trusts offers several benefits:

    • They simplify resource management between forests by reducing the number of external trusts needed for resource sharing.

    • They provide a wider scope of UPN authentications, which can be used across the trusting forests.

    • They provide increased administrative flexibility by enabling administrators to split collaborative delegation efforts with administrators in other forests.

    • They provide greater trustworthiness of authorization data. Administrators can use both the Kerberos and NTLM authentication protocols when authorization data is transferred between forests.

    NOTE:External Trusts and Forest Trusts are cross-forest trusts.

  • Realm Trusts: These are one-way and two-way transitive and non-transitive trusts that you can set up between an Active Directory domain and a Kerberos V5 realm, such as trusts found in UNIX and MIT implementations.

Refer to Understanding Trusts and New Trust Wizard Pages for more information on trusts.