What are trust relationships?
Source: MS Article
AD DS trusts enable access to resources in a complex AD DS environment. When you deploy a single domain, you can easily grant access to resources within the domain to users and groups from the domain. When you implement multiple domains or forests, you should ensure that the appropriate trusts are in place to enable the same access to resources.
In a multiple-domain AD DS forest, two-way transitive trust relationships generate automatically between AD DS domains so that a path of trust exists between all the AD DS domains.
You can deploy other types of trusts. The following table describes the main trust types.
| Trust type | Description | Direction | Description |
|---|---|---|---|
| Parent and child | Transitive | Two-way | When you add a new AD DS domain to an existing AD DS tree, you create new parent and child trusts. |
| Tree-root | Transitive | Two-way | When you create a new AD DS tree in an existing AD DS forest, you automatically create a new tree-root trust. |
| External | Nontransitive | One-way or two-way | External trusts enable resource access with a Windows NT 4.0 domain or an AD DS domain in another forest. You also can set these up to provide a framework for a migration. |
| Realm | Transitive or nontransitive | One-way or two-way | Realm trusts establish an authentication path between a Windows Server AD DS domain and a Kerberos version 5 (v5) protocol realm that implements by using a directory service other than AD DS. |
| Forest (complete or selective) | Transitive | One-way or two-way | Trusts between AD DS forests allow two forests to share resources. |
| Shortcut | Nontransitive | One-way or two-way | Configure shortcut trusts to reduce the time taken to authenticate between AD DS domains that are in different parts of an AD DS forest. No shortcut trusts exist by default, and an administrator must create them if they are required. |
When you set up trusts between domains within the same forest, across forests, or with an external realm, Windows Server creates a trusted domain object to store the trusts’ information, such as transitivity and type, in AD DS. Windows Server stores this trusted domain object in the System container in AD DS.
