Windows 2003 Trusts

Posted on 2011-05-09
Medium Priority
Last Modified: 2012-05-11
Hi Experts,

Having difficulty finding a definitive answer to this question on MS tech sites.

Lets say i have three seperate Windows 2003 Forests and we'll call them ForestA, ForestB and ForestC. Forest A has a one way external Trusts with ForestB. ForestB has a fully transitive 2 way forest trust with ForestC.

I know ForestB is aware of both ForestA and ForestC but what i need to know whether ForestC aware of ForestA in this scenario?

Any advise on this would be greatly appreicated.
Question by:MACNoel
  • 2

Accepted Solution

nipponsoul earned 1600 total points
ID: 35718744

Forest trusts can only be created between two forests and cannot be implicitly extended to a third forest. This means that if a forest trust is created between forest 1 and forest 2, and a forest trust is also created between forest 2 and forest 3, forest 1 will not have an implicit trust with forest 3.

And keep in mind that one-way relationships are non-transitive  :)

I hope this clarifies your question.

Author Comment

ID: 35718800
Hi Nipponsoul.

Many thanks for the advsie. What you have said makes perfect sense. So am i right in saying then that if a domain in Forest 1 has an external trust with a domain Forest 2 then forest 1 will not have an implicit trust of any kind with forest 3 or a domain in forest 3.

Our goal in all this is to keep forest 1 and forest 3 apart and so a 2 way forest trust between forest 1 and forest 2 and then another 2 forest trust between forest 2 and forest 3 would achieve this and this is my preferred option but a security risk has arisen and we have been asked to consider an external trust between domains in forest 1 and forest 2 hense my question.
LVL 26

Assisted Solution

by:Leon Fester
Leon Fester earned 400 total points
ID: 35718804
Trusts are explicit and non-transitive, except in a parent/child relationship.
As mentioned above, in your scenario, Forest C may be aware of Forest A due to DNS name resolution, but Forest C will never be aware of Forest A in a security context. Any attempts to access Forest A from Forest C will result in the users being prompted with an authentication request.

Expert Comment

ID: 35718838
Exactly as dvt described MACNoel: The only awareness is in DNS level but as far as authentication and permissions are concerned users will be prompted.

You will need to create a 3rd trust between A and C if you want users to have access to resources.

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
Let's recap what we learned from yesterday's Skyport Systems webinar.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question