By using Windows Server 2003 domain and forest
trusts, service administrators can create or extend
collaborative relationships between two or more
domains or forests. Windows Server 2003 domains and
forests can also trust Kerberos realms and other
Windows Server 2003 forests, as well as Microsoft
Windows® 2000 domains and Windows NT® 4.0 domains.
When a trust exists between two domains, the
authentication mechanisms for each domain trust the
authentications coming from the other domain. Trusts
help to provide controlled access to shared
resources in a resource domain (the trusting domain)
by verifying that incoming authentication requests
come from a trusted authority (the trusted domain).
In this way, trusts act as bridges that allow only
validated authentication requests to travel between
domains.
How a specific trust passes authentication
requests depends on how it is configured. Trust
relationships can be one-way, providing access from
the trusted domain to resources in the trusting
domain, or two-way, providing access from each
domain to resources in the other domain. Trusts are
also either nontransitive, in which case a trust
exists only between the two trust partner domains,
or transitive, in which case a trust automatically
extends to any other domains that either of the
partners trusts.
In some cases, trust relationships are
established automatically when domains are created;
in other cases, administrators must choose a type of
trust and explicitly establish the appropriate
relationships. The specific types of trusts that are
used and the structure of the resulting trust
relationships in a given trust implementation depend
on such factors as how Active Directory is organized
and whether different versions of Windows coexist on
the network.
