GuidesLearn Windows XP Professional in 15 Minutes a Week: Windows XP...

Learn Windows XP Professional in 15 Minutes a Week: Windows XP Pro in AD Environments, Part 1 Page 2

ServerWatch content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

Trust Relationships

All of the domains in a domain tree and all of the trees in a single forest have the connectivity benefits of a two-way, transitive trust relationship, which is the default trust relationship between Windows 2000 domains. By definition, a two-way, transitive trust is the combination of a transitive trust and a two-way trust. This complete trust between all domains in an Active Directory domain hierarchy helps form the forest as a single unit via its common schema, configuration, and global catalog.

Transitive trusts are a relationship that extends from one domain to the next, and the next, and so on. In the above example, indirectly trusts because the trust relationship travels from to to Because to is a direct trust and to is a direct trust and all trusts in a Windows 2000 Active Directory are transitive by default, indirectly trusts

This is also the relationship of to Since they are all in the same forest and connected by a common schema, configuration, and global catalog (as well as the fact that all Windows 2000 Active Directory are transitive by default), the following is true: directly trusts and directly trusts and directly trusts Therefore indirectly trusts

A two-way trust can be looked at simply as two one-way trusts between two domains. When trusts, it is a one-way trust. When trusts, it is another one-way trust. The trust is considered two way when each trusts the other in the same reverse manner it is trusted.

This would also be where trusts and trusts Since these two domain trees are in the same forest, they each trust the other and all of their child domains (two way and transitively).

Again, all of the domains in a domain tree and all of the trees in a single forest have the connectivity benefit of the two-way, transitive trust relationships, which are the default trust relationships between Windows 2000 domains.

This is not true of domains and domain trees outside of the forest. (Such trusts are referred to as external trusts.)

For example, if were corroborating a project with where users in the Windows 2000 domain needed access to resources within the Windows 2000 domain, the domain administrator for would have to manually set up a trust relationship with in which trusted so that users in could gain access to the resources they needed. This would not give users in access to any resources in, as the manual setup of a one-way trust does not automatically allow for the “reverse” one-way trust, making trust the users of

Figure 2: One-Way Trust

Such a trust is also in no way transitive. If there was situation where a trust was established from to and there was a child domain of called, users of could not gain access to any of the resources in, even though those resources might be included in the common schema, configuration, and global catalog of the Active Directory. The trust that exists is between only and, and in the example of Figure 2 it has been set so that only users in can access resources in the domain. If access to is required by users of the Windows 2000 domain, then another one-way, external, non-transitive trust would need to be established.

Figure 3: One-Way, External, Non-transitive Trust

External trusts can be created between different Windows 2000 forests or to a Windows NT domain (sometimes called a down-level domain) or a Kerberos version 5 realm.

You can also combine two one-way trusts to create a two-way trust relationship. In this case, would trust and would trust However, even these are not transitive, since they are from different Windows 2000 Active Directory forests.

[NOTES FROM THE FIELD] – In Figure 3, users of the 2000trainers domain would be able to access resources if they are given permission to in the domain. However, this does not necessarily allow them access to the other domains in the forest, such as,, or any of the domain tree.

Well, that wraps up this section of “Learn Windows XP Professional in 15 Minutes a Week.” I hope you found it informative and will return for the next installment.

If you have any questions, comments or even constructive criticism, please feel free to drop me a note. I want to write solid technical articles that appeal to a large range of readers and skill levels, and I can only be sure of that through your feedback.

Until next time, best of luck in your studies and remember:

Of all the oxymorons there are, found missing and clearly misunderstood are two of my favorites.

Get the Free Newsletter!

Subscribe to Daily Tech Insider for top news, trends & analysis

Latest Posts

Related Stories