Understanding Trust Types

Applies To: Windows Server 2008

Trust Types

You can use the New Trust Wizard or the Netdom command-line tool to create four types of trusts: external trusts, realm trusts, forest trusts, and shortcut trusts. The following table describes these trust types.

Trust type Transitivity Direction Description

External

Nontransitive

One-way or two-way

Use external trusts to provide access to resources that are located on a Windows NT 4.0 domain or a domain that is located in a separate forest that is not joined by a forest trust. For more information, see Understanding When to Create an External Trust.

Realm

Transitive or nontransitive

One-way or two-way

Use realm trusts to form a trust relationship between a non-Windows Kerberos realm and a Windows Server 2008 domain. For more information, see Understanding When to Create a Realm Trust.

Forest

Transitive

One-way or two-way

Use forest trusts to share resources between forests. If a forest trust is a two-way trust, authentication requests that are made in either forest can reach the other forest. For more information, see Understanding When to Create a Forest Trust.

Shortcut

Transitive

One-way or two-way

Use shortcut trusts to improve user logon times between two domains within a Windows Server 2008 forest. This is useful when two domains are separated by two domain trees. For more information, see Understanding When to Create a Shortcut Trust.

When you create external trusts, shortcut trusts, realm trusts, or forest trusts, you have the option to create each side of the trust separately or both sides of a trust simultaneously.

If you choose to create each side of the trust separately, you must run the New Trust Wizard twice—once for each domain. When you create trusts using the method, you must supply the same trust password for each domain. As a security best practice, all trust passwords should be strong passwords. For more information, see Strong passwords (https://go.microsoft.com/fwlink/?LinkId=92697).

If you choose to create both sides of the trust simultaneously, you run the New Trust Wizard once. When you choose this option, a strong trust password is automatically generated for you. You must have the appropriate administrative credentials for the domains between which you are creating the trust.

For more information about trusts, see Understanding Trust Transitivity and Understanding Trust Direction.

Additional references