Understanding Trust Relationships

The trust relationship is a logical relationship between two domains or forests. In a Trust relationship, one of the two domains is the trusting domain and the other is the trusted domain. The trusting domain trusts the trusted domain and allows access to its resources to the trusted domain after authenticating the logon requests of the trusted domain.

All the child domains that you add to a forest automatically trust each other and inherit the DNS domain name of their parent domain. However the new domain trees will have a distinguished namespace.

The trust relationships can be created automatically or created manually. Windows Server 2008 supports bidirectional and transitive trust relationships. The transitive trust relationship means that if there are three domains called A, B and C. The domain A trusts domain B and domain B trusts domain C then if there is a transitive trust relationship then domain A will trust domain C else, if there is intransitive relationship then domain A will not trust domain C. The bidirectional trust relationship means that if domain A trusts domain B then domain B will also trust domain A.

Windows Server 2003 uses Kerberos protocol by default for trust domains to authenticate applications and users. It also supports the use of NTLM protocol. Windows Server 2008 however supports Kerberos v5 protocol by default.

Four explicit trust (manual) relationships are supported by Windows Server 2008. These trust relationship types are: