Trust types

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Trust types

Communication between domains occurs through trusts. Trusts are authentication pipelines that must be present in order for users in one domain to access resources in another domain. Two default trusts are created when using the Active Directory Installation Wizard. There are four other types of trusts that can be created using the New Trust Wizard or the Netdom command-line tool.

Default trusts

By default, two-way, transitive trusts are automatically created when a new domain is added to a domain tree or forest root domain using the Active Directory Installation Wizard. The two default trust types are defined in the following table.

Trust type Transitivity Direction Description

Parent and child

Transitive

Two-way

By default, when a new child domain is added to an existing domain tree, a new parent and child trust is established. Authentication requests made from subordinate domains flow upward through their parent to the trusting domain. For information about creating a new child domain, see Create a new child domain.

Tree-root

Transitive

Two-way

By default, when a new domain tree is created in an existing forest, a new tree-root trust is established. For information about creating a new domain tree, see Create a new domain tree.

Other trusts

Four other types of trusts can be created using the New Trust Wizard or the Netdom command-line tool: external, realm, forest, and shortcut trusts. These trusts are defined in the following table.

Trust type Transitivity Direction Description

External

Nontransitive

One-way or two-way

Use external trusts to provide access to resources located on a Windows NT 4.0 domain or a domain located in a separate forest that is not joined by a forest trust. For more information, see When to create an external trust.

Realm

Transitive or nontransitive

One-way or two-way

Use realm trusts to form a trust relationship between a non-Windows Kerberos realm and a Windows Server 2003 domain. For more information, see When to create a realm trust.

Forest

Transitive

One-way or two-way

Use forest trusts to share resources between forests. If a forest trust is a two-way trust, authentication requests made in either forest can reach the other forest. For more information, see When to create a forest trust.

Shortcut

Transitive

One-way or two-way

Use shortcut trusts to improve user logon times between two domains within a Windows Server 2003 forest. This is useful when two domains are separated by two domain trees. For more information, see When to create a shortcut trust.

When creating external, shortcut, realm, or forest trusts, you have the option to create each side of the trust separately or both sides of a trust simultaneously.

If you choose to create each side of the trust separately, then you will need to run the New Trust Wizard twice--once for each domain. When creating trusts using the method, you will need to supply the same trust password for each domain. As a security best practice, all trust passwords should be strong passwords. For more information, see Strong passwords.

If you choose to create both sides of the trust simultaneously, you will need to run the New Trust Wizard once. When you choose this option, a strong trust password is automatically generated for you.

You will need the appropriate administrative credentials for each domain between which you will be creating a trust.

Netdom.exe can also be used to create trusts. For more information about Netdom, see Active Directory support tools.

For more information about trusts, see Trust transitivity and Trust direction.