Understanding Trust Transitivity

Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012

Trust transitivity

Transitivity determines whether a trust can be extended outside the two domains between which the trust was formed. You can use a transitive trust to extend trust relationships with other domains. You can use a nontransitive trust to deny trust relationships with other domains.

Transitive trust

Each time that you create a new domain in a forest, a two-way, transitive trust relationship is automatically created between the new domain and its parent domain. If child domains are added to the new domain, the trust path flows upward through the domain hierarchy, extending the initial trust path that is created between the new domain and its parent domain.

Transitive trust relationships flow upward through a domain tree as it is formed, creating transitive trusts between all domains in the domain tree.

Authentication requests follow these trust paths. Therefore, accounts from any domain in the forest can be authenticated at any other domain in the forest. With a single logon process, accounts with the proper permissions can access resources in any domain in the forest.

In addition to the default transitive trusts that are established in an Active Directory forest, by using the New Trust Wizard you can manually create the following transitive trusts:

  • Shortcut trust : A transitive trust between a domain in the same domain tree or forest that shortens the trust path in a large and complex domain tree or forest.

  • Forest trust : A transitive trust between a forest root domain and a second forest root domain.

  • Realm trust : A transitive trust between an Active Directory domain and a Kerberos V5 realm. For more information about Kerberos V5 realms, see Kerberos V5 authentication (https://go.microsoft.com/fwlink/?LinkId=92699).

The following illustration shows a two-way, transitive trust relationship between the Domain A tree and the Domain 1 tree. All domains in the Domain A tree and all domains in the Domain 1 tree have transitive trust relationships by default. As a result, users in the Domain A tree can access resources in domains in the Domain 1 tree, and users in the Domain 1 tree can access resources in the Domain A tree when the proper permissions are assigned at the resource.

For more information about trust types, see Understanding Trust Types.

Nontransitive trust

A nontransitive trust is restricted by the two domains in the trust relationship. It does not flow to any other domains in the forest. A nontransitive trust can be a two-way trust or a one-way trust. Nontransitive trusts are one-way by default, although you can also create a two-way relationship by creating two one-way trusts.

In summary, nontransitive domain trusts are the only form of trust relationship that is possible between the following:

  • An Active Directory domain and a Windows NT domain

  • An Active Directory domain in one forest and a domain in another forest (when the forests are not joined by a forest trust)

You can use the New Trust Wizard to manually create the following nontransitive trusts:

  • External trust : A nontransitive trust between an Active Directory domain and a Windows NT domain or an Active Directory domain in another forest.

  • Realm trust : A nontransitive trust between an Active Directory domain and a Kerberos version 5 (V5) realm. For more information about Kerberos V5 realms, see Kerberos V5 authentication (https://go.microsoft.com/fwlink/?LinkId=92699).

For more information about trust types, see Understanding Trust Types.

Additional references