When a trust exists between two Active Directory forests, the authentication mechanisms for each forest trust the authentications that come from the other forest. Trusts help to control access to shared resources in a resource domain (the trusting domain) by verifying that incoming authentication requests come from a trusted authority (the trusted domain). Trusts between forests can be external trusts or forest trusts. External trusts can exist with Windows 2000 Server or Windows Server 2003 domains, regardless of their functional level, and they use NTLM authentication. Forest trusts can exist with forests that operate at the Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2 forest functional level. These trusts use Kerberos authentication.
Creating a trust
The following table lists the steps that you can take to create a trust for sharing resources with other forests. The trust can be either one-way or two-way, and it can be either incoming or outgoing.
Step | Reference | |
---|---|---|
|
Review information, including any known issues, about creating domain and forest trusts. |
Creating Domain and Forest Trusts (http://go.microsoft.com/fwlink/?LinkId=93232) |
|
As necessary, complete the steps for creating an external trust. |
Creating External Trusts (http://go.microsoft.com/fwlink/?LinkId=93233) |
|
As necessary, complete the steps for creating a forest trust. |
Creating Forest Trusts (http://go.microsoft.com/fwlink/?LinkId=93235) |