In Active Directory, when two domains trust each other or a trust relationship exists between the domains, the users and computers in one domain can access resources residing in the other domain. The trust relationships supported in Windows Server 2003 are summarized below:
The characteristics of Windows Server 2003 trusts are outlined below:
Trusts can be nontransitive or transitive:
Transitive trusts: With transitive trusts, trust is applicable for each trusted domain. What this means is where Domain1 trusts Domain2, and Domain2 trusts Domain3; Domain1 would also trust Domain3.
Nontransitive trust: The defined trust relationship ends with the two domains between which the particular trust is created.
Trusts can be one-way or two-way trusts:
One-way trusts: Based on the direction of the trust, one-way trust can further be broken into either incoming trust or outgoing trusts. One way trust can be transitive or nontransitive:
Incoming Trust: With incoming trust, the trust is created in the trusted domain, and users in the trusted domain are able to access network resources in the trusting domain or other domain. Users in the other domain cannot however access network resources in the trusted domain.
Outgoing Trust: In this case, users in the other domain able to access network resources in the initiating domain. Users in the initiating domain are not able to access any resources in the other domain.
Two-way trusts: A two-way trust relationship means that where Domain1 trusts Domain2, then Domain2 trusts Domain1. The trust basically works both ways, and users in each domain are able to access network resources in eitherone of the dolmans. A two-way, transitive trust relationship is the trust that exists between parent domains and child domains in a domain tree. In two-way transitive trust, where Domain1 trusts Domain2 and Domain2 trusts Domain3, then Domain1 would trust Domain3 and Domain3 would trust Domain1.Two-way, transitive trust is the default trust relationship between domains in a tree. It is automatically created and exists between top-level domains in a forest.
Trusts can be implicit or explicit trusts:
Implicit: Automatically created trust relationships are called implicit trust. An example of implicit trust is the two-way, transitive trust relationship that Active Directory creates between a parent and child domains.
Explicit: Manually created trust relationships are referred to as explicit trust.
Types of Active Directory Trust Relationships
Parent/Child trust: A parent/child trust relationship exists between two domains in Active Directory that have a common contiguous DNS namespace, and who belong to the identical forest. This trust relationship is established when a child domain is created in a domain tree.
Tree Root trust: A tree root trust relationship can be configured between root domains in the same forest. The root domains do not have a common DNS namespace. This trust relationship is established when a new tree root domain is added to a forest.
Shortcut trust: This trust relationship can be configured between two domains in different domain trees but within the same forest. Shortcut trust is typically utilized to improve user logon times.
External trust: External trust relationships are created between an Active Directory domain and a Windows NT4 domain.
Realm trust: A realm trust relationship exists between an Active Directory domain and a non-Windows Kerberos realm.
Forest trust: Forest trust can be created between two Active Directory forests.