Domain and Forest Trusts
Domain and Forest Trusts

Windows Active Directory Domain Services (AD DS) is a leading identity management solution for organizations of all sizes. An AD DS deployment can be as simple as a single domain controller or as complex as a multi-domain forest spread across the globe. Managing sites, domains, and forests in an AD DS environment is critical to a healthy and reliable Active Directory infrastructure. This course is intended to provide the information needed to successfully manage Windows AD sites, domains, forests, trust relationships, and replication.

In this course, we start by reviewing AD DS forest and domain trusts. Then we examine forest design considerations to create a scalable environment that can meet future demands. Next, we investigate Active Directory sites, site links, and how they relate to the organization's network configuration.  Finally, we evaluate AD DS replication and how site links can optimize replication in an AD DS environment.

Learning Objectives

  • Windows AD domains, forests, and trust relationships
  • Windows AD forests and domain design considerations
  • Creating a two-way forest trust
  • Active Directory sites and site topology
  • Creating an Active Directory site
  • Windows AD sites and replication
  • Creating Active Directory site links

Intended Audience 

  • System administrators with responsibilities for managing hybrid identities
  • Subject matter experts in configuring and managing Active Directory workload on-premises and in Azure
  • Anyone preparing for the Azure AZ-800: Administering Windows Server Hybrid Core Infrastructure exam



Welcome to the first lecture where we review Active Directory Domain and Forest Trusts. Active Directory can be as simple as a single domain with a handful of users or as complex as a multidomain forest distributed around the world and managing thousands of identities. The scalability of Active Directory is what made it the default identity solution for most organizations. An Active Directory domain holds a partition of a directory. The first domain deployed is referred to as the forest root domain. This domain contains the Enterprise Admin and Schema Admin groups, groups that have rights to manage forest wide services. A forest is a collection of domains that share a common logical structure. 

Each domain in the forest holds a partition of the directory. Because they're in the same forest, all domains in a forest share a namespace and schema. Domains in a forest also share a namespace with the root forest domain and all other domains in the forest. That name space corresponds to the directory partition. For example, if is the forest root domain, other domains in the forest maybe and Under that, the domains could be represented by business units such as,,, and Each domain is an administrative boundary and contains user's computer accounts groups and other security principles. When each domain is added to the forest, a new two-way transitive trust is formed between the new domain and the parent domain. 

A trust connects two domains or forests to allow authentication between the domains. A trust defines the relationship between domains. There are a few different types of trusts available in Windows Active Directory. An implicit trust is a trust created between a parent and child domain in the forest. The implicit trust is formed automatically when a domain is added to the forest. There are transitive trusts, meaning if domain A trusts domain B and domain B trust domain C, then domain A also trusts domain C. There are also non-transitive trusts. In this example, domain A trust domain B and domain B trusts domain C, but because the trust is non-transitive, domain A does not trust domain C. 

Trusts can be in one direction with a one-way trust or two directions with a two-way trust. In the example of our forest we used earlier, each domain in the forest has a two-way trust, meaning the trust is in both directions. The trusts are also transitive trusts, meaning all domains in the forest trust each other. This trust relationship is implicit. It's created when a domain controller is added to the forest. In this example, a user from the domain can log into the domain. Although the user is the member of a different domain, the transitive trust means that the marketing domain trusts the research domain and will allow the login. 

The authentication request follows a trust path between the domains in the forest. For a complex forest, the trust path can be long and cause authentication request delays. If research frequently works with marketing in the previous example, we could use a shortcut trust to bridge the two domains, shortening the trust path between them when processing logins. Trusts are not limited to domains in a forest. Multiple forests can trust each other with a two-way forest trust. With this option, users from both forests can access resources on the other. This could be used in instances of mergers and acquisitions where two distinct forests must share resources. A forest trust takes place between two forest root domains and is transitive. 

The forest trust relationship follows the trust path. There's also an option for a one-way forest trust. With a one-way trust, there is a trusted forest and a trusting forest. For example, if forest 1 is in the trusted forest and forest 2 is in the trusting forest, users from forest 1 can access resources in forest 2, but users from forest 2 cannot access resources in forest 1. In this scenario, forest 2 trusts forest 1. This type of trust may be helpful with service providers that need to access resources and a customer's forest, but the customer does not need to access resources in the provider's forest. Another option for trusts external to the forest is an external trust. An external trust is a one-way or two-way non-transitive trust with other domains. 

Being non-transitive, the scope of the trust is limited to a single domain. An external trust was used frequently between Windows Active Directory and Windows NT4 domains. Windows NT4 is the predecessor to Windows Active Directory. Most of those are gone and not really a factor anymore. Another use case could be when part of a company is removed from the parent company. Say, for example, a forest with an aerospace and mining domain. If one of the business units is sold or spun off, mining for this example, an external trust could be used to facilitate a migration. Because the trust is non-transitive, the trust relationship would not extend to the other domains in the forest.


About the Author

Travis Roberts is a Cloud Infrastructure Architect at a Minneapolis consulting firm, a Microsoft MVP, MCT, and author. Travis has 20 years of IT experience in the legal, pharmaceutical, and marketing industries and has worked with IT hardware manufacturers and managed service providers. In addition, Travis has held numerous technical certifications throughout his career from Microsoft, VMware, Citrix, and Cisco.