Trust transitivity: Active Directory

Page 1 of 2

Print

Trust transitivity
Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows
Server 2003 with SP2

Trust transitivity
Transitivity determines whether a trust can be extended outside of the two domains with which it was
formed. A transitive trust can be used to extend trust relationships with other domains and a
nontransitive trust can be used to deny trust relationships with other domains.

Transitive trusts
Each time you create a new domain in a forest, a two-way, transitive trust relationship is automatically
created between the new domain and its parent domain. If child domains are added to the new domain,
the trust path flows upward through the domain hierarchy extending the initial trust path created
between the new domain and its parent domain.
Transitive trust relationships flow upward through a domain tree as it is formed, creating transitive trusts
between all domains in the domain tree.
Authentication requests follow these trust paths, so accounts from any domain in the forest can be
authenticated at any other domain in the forest. With a single logon process, accounts with the proper
permissions can access resources in any domain in the forest. For more information, see Authentication
protocols overview.

The diagram displays that all domains in the Domain A tree and all domains in the Domain 1 tree have
transitive trust relationships by default. As a result, users in the Domain A tree can access resources in
domains in the Domain 1 tree and users in the Domain 1 tree can access resources in the Domain A tree,
when the proper permissions are assigned at the resource.
In addition to the default transitive trusts established in a Windows Server 2003 forest, using the New
Trust Wizard, you can manually create the following transitive trusts.
Shortcut trust. A transitive trust between a domain in the same domain tree or forest used to
shorten the trust path in a large and complex domain tree or forest.
Forest trust. A transitive trust between a forest root domain and a second forest root domain.

http://technet.microsoft.com/en-us/library/cc739693(d=printer,v=ws.10).aspx

9/13/2013

Trust transitivity: Active Directory

Page 2 of 2

Realm trust. A transitive trust between an Active Directory domain and an Kerberos V5 realm. For
more information about Kerberos V5 realms, see Kerberos V5 authentication.
For more information about trust types, see Trust types.

Nontransitive trust
A nontransitive trust is restricted by the two domains in the trust relationship and does not flow to any
other domains in the forest. A nontransitive trust can be a two-way trust or a one-way trust.
Nontransitive trusts are one-way by default, although you can also create a two-way relationship by
creating two one-way trusts. In summary, nontransitive domain trusts are the only form of trust
relationship possible between:
A Windows Server 2003 domain and a Windows NT domain
A Windows Server 2003 domain in one forest and a domain in another forest (when not joined by
a forest trust)
Using the New Trust Wizard, you manually create the following nontransitive trusts:
External trust. A nontransitive trust created between a Windows Server 2003 domain and a
Windows NT domain or a Windows 2000 domain or Windows Server 2003 domain in another
forest.
When you upgrade a Windows NT domain to a Windows Server 2003 domain, all existing
Windows NT trusts are preserved intact. All trust relationships between Windows Server 2003
domains and Windows NT domains are nontransitive.
Realm trust. A nontransitive trust between an Active Directory domain and an Kerberos V5 realm.
For more information about Kerberos V5 realms, see Kerberos V5 authentication.
For more information about trust types, see Trust types.

Community Additions
2013 Microsoft. All rights reserved.

http://technet.microsoft.com/en-us/library/cc739693(d=printer,v=ws.10).aspx

9/13/2013