1.6 Trust relationships

Windows NT 4.0 links domains together through trust relationships. The collection of Windows NT 4.0 domains that are linked together form the enterprise Windows NT 4.0 infrastructure. Domains can also be linked together in Windows 2000, in this case to form the enterprise namespace. The link set by a trust relationship in Windows NT 4.0, however, establishes a very loose connection between the participating domains. Connecting Windows 2000 domains together within an enterprise namespace forms a far more coherent and well-connected infrastructure.

Trust relationships link Windows NT 4.0 domains together. Trusts allow users in trusted domains to access resources in the trusting domain. In Windows NT 4.0 trust relationships must be explicitly defined. There are a number of limitations that must be considered when setting up trust relationships in large enterprise deployments.

Trust relationships also exist in Windows 2000, but the trusts take on a very different nature because they are based on Kerberos and can be transitive. Trust relationships are transitive and use Kerberos within the same forest only. Administrators can also create explicit trusts within a forest. These trusts are called shortcut and are transitive. Trusts created between Windows 2000 forests are not transitive, since they are based on the NTLM protocol; however, trusts created with non-Windows 2000 Kerberos realms can be transitive.