Understanding When to Create a Forest Trust

When to create a forest trust

You can create a forest trust only between a forest root domain in one Windows Server 2008 or Windows Server 2008 R2 forest and a forest root domain in another Windows Server 2008 or Windows Server 2008 R2 forest. Creating a forest trust between two Windows Server 2008 or Windows Server 2008 R2 forests provides a one-way or two-way, transitive trust relationship between every domain that resides within each forest. Forest trusts are useful for application service providers, organizations undergoing mergers or acquisitions, collaborative business extranets, and organizations seeking a solution for administrative autonomy.

For more information about creating forest trusts, see Create a Forest Trust.

Using one-way, forest trusts

A one-way, forest trust between two forests allows members of the trusted forest to use resources that are located in the trusting forest. However, the trust operates in only one direction. For example, when a one-way, forest trust is created between forest A (the trusted forest) and forest B (the trusting forest), members of forest A can access resources that are located in forest B, but members of forest B cannot access resources that are located in forest A, using the same trust.

Using two-way, forest trusts

A two-way, forest trust between two forests allows members from either forest to use resources that are located in the other forest, and domains in each respective forest trust domains in the other forest implicitly. For example, when a two-way, forest trust is established between forest A and forest B, members of forest A can access resources that are located in forest B, and members of forest B can access resources in forest A, using the same trust.

Additional references