Active Directory Forests and Trust Relationships

As I outlined in previous articles, all domains within an Active Directory forest are capable of accessing one another due to the nature of the trust relationships that are automatically created. A transitive two-way trust relationship exists between every child domain and its parent domain, and transitive two-way trust relationships exist between the roots of all trees and the forest root. It should be noted that in some cases you will need to create additional trust relationships, both within and external to your forest.

For example, you might have a domain that is still running Windows NT 4, whose users you wish to be able to access a domain in your Active Directory structure. This would require an external trust, which is very similar to the trust relationships that you should be familiar with from NT 4. These trusts are one-way and intransitive, meaning that they can only be used to provide access to a single domain. In the scenario I described above, the trust relationship might look something like the diagram below:

Figure: Trust relationship with an external domain

In this particular example, users from the domain NT4DOMAIN would have access to resources in the domain only. Of course, a two-way trust could be created between the two, allowing users from access to resources in NT4DOMAIN. If users in NT4DOMAIN needed access to resources in all 3 of the domains, 3 trust relationships would need to be created at a minimum.

The tool used to create external trust relationships is Active Directory Domains and Trusts. This tool is used to create, manage, and verify trust relationships between domains. Note that the tools will show both internal and external trust relationships that exist. By accessing the properties of a domain, you can view the trust relationships that exist on the Trusts tab.

Note that the domain name, relationship (internal/external), and whether the relationship is transitive will appear on this screen. Note that like NT 4, for security purposes external trust relationship information must still be entered in both domains participating. Note that external trust relationships can connect a Windows 2000 domain with NT 4 domains, Windows 2000 domains (from different forests), as well Kerberos v.5 realms.

The second type of trust relationship that can be created is referred to as a shortcut trust relationship. This type of trust is created to shorten the path that needs to be followed for the purpose of authentication. For example, if I had a forest as shown below, getting to from would require crossing 3 trust relationships.

If users in did need to regularly access resources in, it might make sense to create a shortcut trust (as shown below) to lessen the number of trust relationships that would need to be traversed. Note that shortcut trusts are two-way transitive trusts, and that they are also created in Active Directory Domains and Trusts.

In order to verify trust relationships, you can use the edit button in Active Directory domain and trusts when a domain in the list is selected. This will attempt a secure channel query to the other domain, and will return results as to whether it was successfully able to verify the relationship or not. Further to this, another tool that you should be aware of for verifying trust relationships is Netdom.exe, a command-line utility that can be found in the Windows 2000 resource kit.

Author: Dan DiNicolo

Dan DiNicolo is a freelance author, consultant, trainer, and the managing editor of He is the author of the CCNA Study Guide found on this site, as well as many books including the PC Magazine titles Windows XP Security Solutions and Windows Vista Security Solutions. Click here to contact Dan.