Trust relationship is a secure communication channel between two domains in Microsoft Windows NT or Windows 2000.
Trust relationships allow users in one domain to access resources in another domain. Trusts work by having one domain trust the authority of the other domain to authenticate its user accounts.
In Windows NT, trusts are one-way - the trusting domain (or resource domain) trusts the trusted domain (or accounts domain). This means that global users in the trusted domain can be authenticated for accessing resources in the trusting domain. Global users from the trusted domain can log on to any computer in either domain and can access resources in either domain if they have the appropriate permissions.
If you want to establish a two-way trust between two domains, you must create two trusts, one in each direction. Administrators can set up trust relationships between domains by using the Policies menu in User Manager for Domains. The administrator on the accounts domain should permit the trust first, and then the administrator on the resource domain should complete the trust. Only global accounts (global users and global groups) can cross trusts.
Windows NT trusts are nontransitive. In other words, if domain A trusts domain B and domain B trusts domain C, it is not true that domain A trusts domain C.
By using trusts, you can join Windows NT domains into a variety of domain models, including the complete trust model, the master domain model, and the multiple master domain model. You can join domains to support 100,000 or more users for enterprise-level networks.
Graphic T-10. Trust relationship.
In Windows 2000, trusts are always two-way. If domain A trusts domain B, users in either domain can access resources in the other domain if they have the appropriate permissions. Windows 2000 trusts are also transitive. In other words, if domain A trusts domain B and domain B trusts domain C, domain A also trusts domain C.
Windows 2000 trusts are much easier to manage than Windows NT trusts, primarily because there are far fewer trusts to manage. Windows 2000 domains are combined into hierarchical structures called domain trees. All users in a domain tree can access resources in any domain of the tree if they have suitable permissions. In Windows 2000, you can also use another type of trust called an explicit trust, which is a one-way trust similar to that implemented in Windows NT, to form a trust relationship between two domain forests.
Windows 2000 trusts are managed by Active Directory and are based on the Kerberos v5 security protocol.
If you are unable to establish a trust relationship between two domains, make sure that no sessions are open between the two primary domain controllers (PDCs) and that they are using common transport protocols.