Trust direction

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Trust direction

The trust type and its assigned direction will impact the trust path used for authentication. A trust path is a series of trust relationships that authentication requests must follow between domains. Before a user can access a resource in another domain, the security system on domain controllers running Windows Server 2003 must determine whether the trusting domain (the domain containing the resource the user is trying to access) has a trust relationship with the trusted domain (the user's logon domain). To determine this, the security system computes the trust path between a domain controller in the trusting domain and a domain controller in the trusted domain. In the following figure, trust paths are indicated by arrows showing the direction of the trust (this is a one-way trust):

Direction of trust path

All domain trust relationships have only two domains in the relationship: the trusting domain and the trusted domain.

One-way trust

A one-way trust is a unidirectional authentication path created between two domains. This means that in a one-way trust between Domain A and Domain B, users in Domain A (trusted domain) can access resources in Domain B (trusting domain). However, users in Domain B cannot access resources in Domain A. Some one-way trusts can be a nontransitive trust or a transitive trust depending on the type of trust being created. For more information about trust types, see Trust types.

Two-way trust

All domain trusts in a Windows Server 2003 forest are two-way, transitive trusts. When a new child domain is created, a two-way, transitive trust is automatically created between the new child domain and the parent domain. In a two-way trust, both domains that are involved in a trust relationship trust each other. This means that authentication requests can be passed between the two domains in both directions. Some two-way relationships can be nontransitive or transitive depending on the type of trust being created. For more information, see Trust types.

A Windows Server 2003 domain can establish a one-way or two-way trust with:

  • Windows Server 2003 domains in the same forest

  • Windows Server 2003 domains in a different forest

  • Windows NT 4.0 domains

  • Kerberos V5 realms

For more information Kerberos V5, see Kerberos V5 authentication.