Share via

Understanding Trust Direction

Applies To: Windows Server 2008

Trust Direction

The trust type and its assigned direction affect the trust path that is used for authentication. A trust path is a series of trust relationships that authentication requests must follow between domains. Before a user can access a resource in another domain, the security system on domain controllers running Windows Server 2008 must determine whether the trusting domain (the domain that contains the resource that the user is trying to access) has a trust relationship with the trusted domain (the user's logon domain). To determine this, the security system computes the trust path between a domain controller in the trusting domain and a domain controller in the trusted domain. In the following illustration, the trust path is indicated by an arrow that shows the direction of the trust.

All domain trust relationships have only two domains in the relationship: the trusting domain and the trusted domain.

One-way trust

A one-way trust is a unidirectional authentication path that is created between two domains. This means that in a one-way trust between Domain A and Domain B, users in Domain A can access resources in Domain B. However, users in Domain B cannot access resources in Domain A. Some one-way trusts can be either a nontransitive trust or a transitive trust, depending on the type of trust that is created. For more information about trust types, see Understanding Trust Types.

Two-way trust

All domain trusts in a Windows Server 2008 forest are two-way, transitive trusts. When a new child domain is created, a two-way, transitive trust is automatically created between the new child domain and the parent domain. In a two-way trust, Domain A trusts Domain B and Domain B trusts Domain A. This means that authentication requests can be passed between the two domains in both directions. Some two-way relationships can be either nontransitive or transitive, depending on the type of trust that is created. For more information, see Understanding Trust Types.

A Windows Server 2008 domain can establish one-way or two-way trusts with the following domains and realms:

  • Windows Server 2008 domains in the same forest

  • Windows Server 2008 domains in a different forest

  • Windows Server 2003 domains in the same forest

  • Windows Server 2003 domains in a different forest

  • Windows Server 2000 domains in the same forest


Support for Windows 2000 ends July 13, 2010. For more information see, Windows 2000 End-of-Support Solution Center (

  • Windows Server 2000 domains in a different forest

  • Kerberos version 5 (V5) realms

For more information about the Kerberos V5 protocol, see Kerberos V5 authentication (

Additional references