Two domains must be linked via a connection called a trust in order to allow resources in one domain to be made available to users in the other. Trusts may be one-way or two-way (see Figure 3.1), and nontransitive (see Figure 3.2) or transitive (see Figure 3.3).
Figure 3.1 One-way and two-way trusts.
Figure 3.2 Nontransitive trusts.
Figure 3.3 Transitive trusts.
Trusts in Windows NT domains were configured as separate one-way, nontransitive trusts. This means that if Domain A is established as trusting Domain B, then users within Domain B may be granted access to resources located in Domain A (see Figure 3.4).
Figure 3.4 One-way trust relationship.
In order to provide two-way access for users and resources, two one-way trusts had to be configured, one providing a trust for resources in Domain A to users in Domain B and the other providing trust for resources in Domain B to users in Domain A.
Windows NT trusts are one-way and nontransitive, while Windows 2000 trusts are transitive and two-way by default. Windows 2000 trusts may be restricted to one-way nontransitive trusts.
By default, Windows 2000 creates two-way transitive trusts, allowing for users within any domain within a forest to be granted access to resources located within any other domain within the forest. In modern large-scale deployment scenarios, this is obviously much easier to maintain.
Figure 3.5 contrasts the differences in trust requirements in order to allow five domains to share full trust between Windows NT and Windows 2000.
Figure 3.5 Comparison between Windows NT and Windows 2000 full trust within five domains.
Obviously, using Windows NT in larger enterprise deployments would magnify these issues significantly, adding management overhead and potential for access denial due to resource placement within the domain web. The use of two-way transitive trusts within the Windows 2000 Active Directory can turn a trust nightmare into a simple, easy, centralized administration issue.