Transitive Trust

Each time that you create a new domain in a forest, a two-way, transitive trust relationship is automatically created between the new domain and its parent domain. If child domains are added to the new domain, the trust path flows upward through the domain hierarchy, extending the initial trust path that is created between the new domain and its parent domain.

Transitive trust relationships flow upward through a domain tree as it is formed, creating transitive trusts between all domains in the domain tree.

Authentication requests follow these trust paths. Therefore, accounts from any domain in the forest can be authenticated at any other domain in the forest. With a single logon process, accounts with the proper permissions can access resources in any domain in the forest.

In addition to the default transitive trusts that are established in an Active Directory forest, by using the New Trust Wizard you can manually create the following transitive trusts:

• Shortcut trust : A transitive trust between a domain in the same domain tree or forest that shortens the trust path in a large and complex domain tree or forest.
  
• Forest trust : A transitive trust between a forest root domain and a second forest root domain.
  
• Realm trust : A transitive trust between an Active Directory domain and a Kerberos V5 realm. For more information about Kerberos V5 realms, see Kerberos V5 authentication (http://go.microsoft.com/fwlink/?LinkId=92699).
  

The following illustration shows a two-way, transitive trust relationship between the Domain A tree and the Domain 1 tree. All domains in the Domain A tree and all domains in the Domain 1 tree have transitive trust relationships by default. As a result, users in the Domain A tree can access resources in domains in the Domain 1 tree, and users in the Domain 1 tree can access resources in the Domain A tree when the proper permissions are assigned at the resource.

For more information about trust types, see Understanding Trust Types.