Whenever there is a need for accessing resources in a different forest, administrators have to configure trust relationships manually. Windows 2000 offers the capability to configure one-way, nontransitive trusts, between domains in different forests. You have to explicitly configure every trust relationship between each domain in the different forests. If you need a two-way trust relationship, you have to manually configure each half of the trust separately.
Windows Server 2003 makes it easier to configure interforest trust relationships. This article from informit studies these trust relationships. In a nutshell, for forests that are operating at the Windows Server 2003 forest functional level, you can configure trusts that enable two-way transitive trust relationships between all domains in the relevant forests. If the forest is operating at any other functional level, you still need to configure explicit trusts as in Windows 2000.
Windows Server 2003 introduces the following types of interforest trusts:
- External trusts: These one-way trusts are individual trust relationships set up between two domains in different forests, as can be done in Windows 2000. The forests involved may be operating at any forest functional level. You can use this type of trust if you need to enable resource sharing only between specific domains in different forests. You can also use this type of trust relationship between an Active Directory domain and a Windows NT 4.0 domain.
- Forest trusts: As already mentioned, these trusts include complete trust relationships between all domains in the relevant forests, thereby enabling resource sharing among all domains in the forests. The trust relationship can be either one-way or two-way. Both forests must be operating at the Windows Server 2003 forest functional level. The use of forest trusts offers several benefits:
- They simplify resource management between forests by reducing the number of external trusts needed for resource sharing.
- They provide a wider scope of UPN authentications, which can be used across the trusting forests.
- They provide increased administrative flexibility by enabling administrators to split collaborative delegation efforts with administrators in other forests.
- Directory replication is isolated within each forest. Forest-wide configuration modifications such as adding new domains or modifying the schema affect only the forest to which they apply, and not trusting forests.
- They provide greater trustworthiness of authorization data. Administrators can use both the Kerberos and NTLM authentication protocols when authorization data is transferred between forests.
- Realm trusts: These are one-way nontransitive trusts that you can set up between an Active Directory domain and a Kerberos V5 realm such as found in Unix and MIT implementations.
Read more about trust relationships, including a step-by-step process at informit.
This was first published in October 2004