Understanding When to Create an External Trust
Applies To: Windows Server 2008
When to create an external trust
You can create an external trust to form a one-way or two-way, nontransitive trust with domains that are outside your forest. External trusts are sometimes necessary when users need access to resources in a Windows NT 4.0 domain or in a domain that is located in a separate forest that is not joined by a forest trust, as shown in the following illustration.
.gif)
When you establish a trust between a domain in a particular forest and a domain outside that forest, security principals from the external domain can access resources in the internal domain. Active Directory Domain Services (AD DS) creates a foreign security principal object in the internal domain to represent each security principal from the trusted external domain. These foreign security principals can become members of domain local groups in the internal domain. Domain local groups can have members from domains outside the forest.
Directory objects for foreign security principals are created by AD DS, and they should not be modified manually. You can view foreign security principal objects in the Active Directory Users and Computers snap-in by enabling advanced features. (On the View menu, click Advanced Features.)
For more information about how to create an external trust, see Create an External Trust.