Domain Trusts (Guide)

Active Directory Trust Relationships 

  • Trusted  is now called “Outgoing” Trust (Microsoft Terminology)
  • Trusting is now called “Incoming” Trust

One-way trust

  •  One domain: allows access to resources on another domain.
  • One domain: does not allow access to resourses on the another domain
  • Domain1 “Outgoing” Trust to Domain 2 (Domain 2 is the “Trusted” Domain)
  • Domain 2 Users can access Domain1 (Domain1 does not have permissions in Domain 2)

Two-way trust (Creates 2 x One-way trusts)

  • Two domains: allows access to resources on each others domain.
  • Domain1 “Outgoing” & “Incoming” Trust Domain 2
  • Domain 1 Users can access Domain 2
  • Domain 2 Users can access Domain 1

Access to resources is subject to “Domain-wide Authentication” & “Selective Authentication”

Domain-wide Authentication

  • Windows will automatically authenticate users from the specifed domain for all resources in the local domain. This option is preferred when both domains belong to the same organisation.

Selective Authentication

  • Windows will not automatically authenticate users from the specified domain for any resources in the local domain. Grant individual access to each server that you want to make avilable to users in the specified domain. This option is preferred when both domains belong to the different organisation.
  • The domain that allows access to users from a trusted domain.

Trusted domain

  • The domain that is trusted; whose users have access to the trusting domain.

Transitive trust (Goes multiple hops in the domain)

  • A trust that can extend beyond two domains to other trusted domains in the forest.

 Nontransitive trust (Goes only one hop in the domain)

  • A one way trust that does not extend beyond two domains.

 Explicit trust

  • Trusts between domains outside the forest
  • A trust that an admin creates. It is not transitive and is one way only.

Cross-link trust

  • An explicit trust between domains in different trees or in the same tree when a descendant/ancestor (child/parent) relationship does not exist between the two domains.
External Trust
  • An external trust is a nontransitive trust between a domain and another domain outside the forest. A nontransitive trust is bounded by the domains in the relationship.
  • Connect to other forests or non-AD domains.
  •  Nontransitive
  • One-way or Two-way

Forest Trust

  • A forest trusts is a transitive trust between two forests that allows users in any of the domains in one frest to be authticated in any of the domains in the other forest.
  • Applies to the entire forest.
  • Transitive
  • One-way or Two-way

Shortcut Joins two domains in different trees

  • Transitive
  • One-way or Two-way


  • Nontransitive
  • One-way or Two-way
  • If connecting to an Kerberos V5 Realm

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.