A trust is a relationship, which you establish between domains, that makes it possible for users in one domain to be authenticated by a domain controller in the other domain.

Trusts in Windows NT

In the Windows NT 4.0 operating system, trusts are limited to two domains, and the trust relationship is nontransitive and one-way. In the following illustration, the nontransitive, one-way trust is shown by the straight arrow pointing to the trusted domain.

Direction of trust path

Trusts in Windows 2000 Server, Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 operating systems

All trusts in Windows 2000 Server, Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 forests are transitive, two-way trusts. Therefore, both domains in a trust relationship are trusted. As shown in the following illustration, this means that if Domain A trusts Domain B and Domain B trusts Domain C, users from Domain C can access resources in Domain A (when they are assigned the proper permissions). Only members of the Domain Admins group can manage trust relationships.

Transitive trusts in a domain tree

Trust protocols

A domain controller running Windows Server 2008 or Windows Server 2008 R2 authenticates users and applications using one of two protocols: the Kerberos version 5 (V5) protocol or NTLM. The Kerberos V5 protocol is the default protocol for computers running Windows 2000, Windows XP Professional, Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2. If any computer in a transaction does not support the Kerberos V5 protocol, the NTLM protocol is used.

With the Kerberos V5 protocol, the client requests a ticket from a domain controller in its account domain to the server in the trusting domain. This ticket is issued by an intermediary that is trusted by the client and the server. The client presents this trusted ticket to the server in the trusting domain for authentication. For more information, see Kerberos V5 authentication (

When a client tries to access resources on a server in another domain using NTLM authentication, the server that contains the resource must contact a domain controller in the client account domain to verify the account credentials.

Trusted domain objects

Trusted domain objects (TDOs) are objects that represent each trust relationship within a particular domain. Each time that a trust is established, a unique TDO is created and stored in its domain (in the System container). Attributes such as trust transitivity, type, and the reciprocal domain names are represented in the TDO.

Forest trust TDOs store additional attributes to identify all the trusted namespaces from its partner forest. These attributes include domain tree names, user principal name (UPN) suffixes, service principal name (SPN) suffixes, and security identifier (SID) namespaces.

For more information about domain trusts, see Trust Technologies ( For more information about trust relationships, see Designing a Resource Authorization Strategy (

Additional references