Creating trusts between domains in different forests

Whenever there is a need for accessing resources in a different forest, administrators have to configure trust relationships manually. Windows 2000 offers the capability to configure one-way, nontransitive trusts, between domains in different forests. You have to explicitly configure every trust relationship between each domain in the different forests. If you need a two-way trust relationship, you have to manually configure each half of the trust separately.

Windows Server 2003 makes it easier to configure interforest trust relationships. This article from

Requires Free Membership to View

informit studies these trust relationships. In a nutshell, for forests that are operating at the Windows Server 2003 forest functional level, you can configure trusts that enable two-way transitive trust relationships between all domains in the relevant forests. If the forest is operating at any other functional level, you still need to configure explicit trusts as in Windows 2000.

Windows Server 2003 introduces the following types of interforest trusts:

  • External trusts: These one-way trusts are individual trust relationships set up between two domains in different forests, as can be done in Windows 2000. The forests involved may be operating at any forest functional level. You can use this type of trust if you need to enable resource sharing only between specific domains in different forests. You can also use this type of trust relationship between an Active Directory domain and a Windows NT 4.0 domain.
  • Forest trusts: As already mentioned, these trusts include complete trust relationships between all domains in the relevant forests, thereby enabling resource sharing among all domains in the forests. The trust relationship can be either one-way or two-way. Both forests must be operating at the Windows Server 2003 forest functional level. The use of forest trusts offers several benefits:
    • They simplify resource management between forests by reducing the number of external trusts needed for resource sharing.
    • They provide a wider scope of UPN authentications, which can be used across the trusting forests.
    • They provide increased administrative flexibility by enabling administrators to split collaborative delegation efforts with administrators in other forests.
    • Directory replication is isolated within each forest. Forest-wide configuration modifications such as adding new domains or modifying the schema affect only the forest to which they apply, and not trusting forests.
    • They provide greater trustworthiness of authorization data. Administrators can use both the Kerberos and NTLM authentication protocols when authorization data is transferred between forests.
  • Realm trusts: These are one-way nontransitive trusts that you can set up between an Active Directory domain and a Kerberos V5 realm such as found in Unix and MIT implementations.

Read more about trust relationships, including a step-by-step process at informit.

This was first published in October 2004

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.