Within Active Directory, you will use
trust relationships[1] to allow users from one container to access resources in another container. You can set up trust relationships between domains, forests, and even non-Windows domains. In Windows NT 4.0, all trust relationships were one-way and nontransitive. A
one-way trust relationship means that if you have two domains that need to trust each other, you need to set up one trust relationship going from Domain A to Domain B, and then a second trust relationship going from Domain B back to Domain A. A
nontransitive trust relationship means that if you set up a trust going from Domain A to Domain B, and then another trust going from Domain B to Domain C, you do not automatically have a trust relationship between Domain A and Domain C, you will need to set up a separate trust relationship directly between Domain A and Domain C. In addition, each of these individual trust relationships needs to be managed separately, so you can see how this can get really complicated if you have a lot of domains.
If you are working in a
complete trust modelwhere all of your domains need to trust each other, you would need to create
n individual separate trust relationships, where n is the number of domains you are working with.
For example, if you have ten domains that all need to be able to trust each other on Windows Server, you need to set up 10 * 9 or 90 separate trust relationships.
Active Directory in Windows 2000 and Windows Server 2003 makes this process easier by creating two-way transitive trust relationships by default between domains that are located in the same forest. If you have three domains within the same forest, a two-way transitive trust relationship will be created automatically so that users in any domain will be able to access resources in any other domain (as long as they have the appropriate NTFS and share permissions).
This two-way transitive trust relationship gets created automatically between a parent domain and a child domain, and between the root domains of two domain trees in the same forest, you will probably see these default trust relationships referred to as parent-child and tree-root. You can also create a number of manual trust relationships within Active Directory:
External trusts are created between an Active Directory domain and an NT 4.0 domain, or between Active Directory domains in two separate forests. External trusts are nontransitive, and you can configure them to be either one-way or two-way.
- Realm trusts are used to set up a trust relationship between Active Directory and a non-Windows Kerberos realm, typically a UNIX MIT Kerberos realm. Realm trusts can be transitive or nontransitive, and can be oneway or two-way.
- Forest trusts allow you to create one-way or two-way transitive trust relationships between Active Directory forests. This type of trust relationship is only available in a pure Windows Server 2003 environment
In Windows 2000, trust relationships between forests can only be oneway and nontransitive.