Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Trust transitivity
Transitivity determines whether a trust can be extended outside of the two domains with which it was formed. A transitive trust can be used to extend trust relationships with other domains and a nontransitive trust can be used to deny trust relationships with other domains.
Transitive trusts
Each time you create a new ___domain in a forest, a two-way, transitive trust relationship is automatically created between the new ___domain and its parent ___domain. If child domains are added to the new ___domain, the trust path flows upward through the ___domain hierarchy extending the initial trust path created between the new ___domain and its parent ___domain.
Transitive trust relationships flow upward through a ___domain tree as it is formed, creating transitive trusts between all domains in the ___domain tree.
Authentication requests follow these trust paths, so accounts from any ___domain in the forest can be authenticated at any other ___domain in the forest. With a single logon process, accounts with the proper permissions can access resources in any ___domain in the forest. For more information, see Authentication protocols overview.
.gif "A two-way, transitive trust path connects domains")
The diagram displays that all domains in the Domain A tree and all domains in the Domain 1 tree have transitive trust relationships by default. As a result, users in the Domain A tree can access resources in domains in the Domain 1 tree and users in the Domain 1 tree can access resources in the Domain A tree, when the proper permissions are assigned at the resource.
In addition to the default transitive trusts established in a Windows Server 2003 forest, using the New Trust Wizard, you can manually create the following transitive trusts.
Shortcut trust. A transitive trust between a ___domain in the same ___domain tree or forest used to shorten the trust path in a large and complex ___domain tree or forest.
Forest trust. A transitive trust between a forest root ___domain and a second forest root ___domain.
Realm trust. A transitive trust between an Active Directory ___domain and an Kerberos V5 realm. For more information about Kerberos V5 realms, see Kerberos V5 authentication.
For more information about trust types, see Trust types.
Nontransitive trust
A nontransitive trust is restricted by the two domains in the trust relationship and does not flow to any other domains in the forest. A nontransitive trust can be a two-way trust or a one-way trust.
Nontransitive trusts are one-way by default, although you can also create a two-way relationship by creating two one-way trusts. In summary, nontransitive ___domain trusts are the only form of trust relationship possible between:
A Windows Server 2003 ___domain and a Windows NT ___domain
A Windows Server 2003 ___domain in one forest and a ___domain in another forest (when not joined by a forest trust)
Using the New Trust Wizard, you manually create the following nontransitive trusts:
External trust. A nontransitive trust created between a Windows Server 2003 ___domain and a Windows NT ___domain or a Windows 2000 ___domain or Windows Server 2003 ___domain in another forest.
When you upgrade a Windows NT ___domain to a Windows Server 2003 ___domain, all existing Windows NT trusts are preserved intact. All trust relationships between Windows Server 2003 domains and Windows NT domains are nontransitive.
Realm trust. A nontransitive trust between an Active Directory ___domain and an Kerberos V5 realm. For more information about Kerberos V5 realms, see Kerberos V5 authentication.
For more information about trust types, see Trust types.