Share via


Trust transitivity

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Trust transitivity

Transitivity determines whether a trust can be extended outside of the two domains with which it was formed. A transitive trust can be used to extend trust relationships with other domains and a nontransitive trust can be used to deny trust relationships with other domains.

Transitive trusts

Each time you create a new ___domain in a forest, a two-way, transitive trust relationship is automatically created between the new ___domain and its parent ___domain. If child domains are added to the new ___domain, the trust path flows upward through the ___domain hierarchy extending the initial trust path created between the new ___domain and its parent ___domain.

Transitive trust relationships flow upward through a ___domain tree as it is formed, creating transitive trusts between all domains in the ___domain tree.

Authentication requests follow these trust paths, so accounts from any ___domain in the forest can be authenticated at any other ___domain in the forest. With a single logon process, accounts with the proper permissions can access resources in any ___domain in the forest. For more information, see Authentication protocols overview.

A two-way, transitive trust path connects domains

The diagram displays that all domains in the Domain A tree and all domains in the Domain 1 tree have transitive trust relationships by default. As a result, users in the Domain A tree can access resources in domains in the Domain 1 tree and users in the Domain 1 tree can access resources in the Domain A tree, when the proper permissions are assigned at the resource.

In addition to the default transitive trusts established in a Windows Server 2003 forest, using the New Trust Wizard, you can manually create the following transitive trusts.

  • Shortcut trust. A transitive trust between a ___domain in the same ___domain tree or forest used to shorten the trust path in a large and complex ___domain tree or forest.

  • Forest trust. A transitive trust between a forest root ___domain and a second forest root ___domain.

  • Realm trust. A transitive trust between an Active Directory ___domain and an Kerberos V5 realm. For more information about Kerberos V5 realms, see Kerberos V5 authentication.

For more information about trust types, see Trust types.

Nontransitive trust

A nontransitive trust is restricted by the two domains in the trust relationship and does not flow to any other domains in the forest. A nontransitive trust can be a two-way trust or a one-way trust.

Nontransitive trusts are one-way by default, although you can also create a two-way relationship by creating two one-way trusts. In summary, nontransitive ___domain trusts are the only form of trust relationship possible between:

  • A Windows Server 2003 ___domain and a Windows NT ___domain

  • A Windows Server 2003 ___domain in one forest and a ___domain in another forest (when not joined by a forest trust)

Using the New Trust Wizard, you manually create the following nontransitive trusts:

  • External trust. A nontransitive trust created between a Windows Server 2003 ___domain and a Windows NT ___domain or a Windows 2000 ___domain or Windows Server 2003 ___domain in another forest.

    When you upgrade a Windows NT ___domain to a Windows Server 2003 ___domain, all existing Windows NT trusts are preserved intact. All trust relationships between Windows Server 2003 domains and Windows NT domains are nontransitive.

  • Realm trust. A nontransitive trust between an Active Directory ___domain and an Kerberos V5 realm. For more information about Kerberos V5 realms, see Kerberos V5 authentication.

For more information about trust types, see Trust types.