Hi All, I have a two different forest: a.com is 2008 level and b.com is 2003 level, and there is another b.com.sg is sub-domain of b.com I add a external dual trust between a.com and b.com. In my opinion, the a.com should not trust b.com.cn because external is not transmitted ? but I found the truth is on the contrary ? user in b.com.cn can reach a.com as long as proper credential. also, I tried to establish external trust between a.com and b.com.cn, and then the sys pops up the trust has been already exist. anyone could adv ? is my understanding wrong ?

Hi, First of all Forest trust can be created between two forest root domains. They can give you complete two-way trust relationships with every domain in each forest. So if you create forest trust each and every domains in the forest can trust each other. What are you trying to achieve? If you explain us better we can help you with proper solutions and suggestions. Forest trusts: Active Directory technet.microsoft.com/en-us/library/cc755700(v=ws.10).aspx Regards, Rafic If you found this post helpful, please give it a "Helpful" vote. If it answered your question, remember to mark it as an "Answer". This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!

Hi, First of all Forest trust can be created between two forest root domains. They can give you complete two-way trust relationships with every domain in each forest. So if you create forest trust each and every domains in the forest can trust each other. What are you trying to achieve? If you explain us better we can help you with proper solutions and suggestions. Forest trusts: Active Directory technet.microsoft.com/en-us/library/cc755700(v=ws.10).aspx Regards, Rafic If you found this post helpful, please give it a "Helpful" vote. If it answered your question, remember to mark it as an "Answer". This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!

In my opinion, the a.com should not trust b.com.cn because external is not transmitted ? If it is a two way trust relationship then both domains trust the other. However, if this is a one way trust relationship then if the trust relationship is from A to B then the resource access is from B to A. but I found the truth is on the contrary ? user in b.com.cn can reach a.com as long as proper credential. That depends of the user permissions and the trust relationship (one way or two ways). also, I tried to establish external trust between a.com and b.com.cn, and then the sys pops up the trust has been already exist. anyone could adv ? is my understanding wrong ? If the trust was already created then you can validate it or delete it. If you want that both forests trust each other then delete the current trust and replace it by a forest way. This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Microsoft Student Partner 2010 / 2011 Microsoft Certified Professional Microsoft Certified Systems Administrator: Security Microsoft Certified Systems Engineer: Security Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows 7, Configuring Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations Microsoft Certified IT Professional: Enterprise Administrator Microsoft Certified IT Professional: Server Administrator Microsoft Certified Trainer

Hi iamrafic & X tks for your post actually, my question is about the trust transitivity. a.com trust b.com, b.com trust c.com, if transmit is no, then a.com did not trust c.com, Is that correct ? but why a.com trust b.com.cn ? Does this rule not apply in parent trust ? so the truth is : the transmit is implict 'yes' as long as trust relationship are dual way, though the GUI show ' no ' I guess I may review the trust lesson then T_T

a.com trust b.com, b.com trust c.com, if transmit is no, then a.com did not trust c.com, Is that correct ?Yes, there is no transitivity here and A doe snot trust C. but why a.com trust b.com.cn ? Does this rule not apply in parent trust ? If A and B are in the same forest and B is the child of B then this is a trust relationship which is created by default. so the truth is : the transmit is implict 'yes' as long as trust relationship are dual way, though the GUI show ' no ' I guess I may review the trust lesson then T_T I recommend reading that: http://technet.microsoft.com/en-us/library/cc736874%28v=ws.10%29 This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Microsoft Student Partner 2010 / 2011 Microsoft Certified Professional Microsoft Certified Systems Administrator: Security Microsoft Certified Systems Engineer: Security Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows 7, Configuring Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations Microsoft Certified IT Professional: Enterprise Administrator Microsoft Certified IT Professional: Server Administrator Microsoft Certified Trainer

a.com trust b.com, b.com trust c.com, if transmit is no, then a.com did not trust c.com, Is that correct ?Yes, there is no transitivity here and A doe snot trust C. but why a.com trust b.com.cn ? Does this rule not apply in parent trust ? If A and B are in the same forest and B is the child of B then this is a trust relationship which is created by default. so the truth is : the transmit is implict 'yes' as long as trust relationship are dual way, though the GUI show ' no ' I guess I may review the trust lesson then T_T I recommend reading that: http://technet.microsoft.com/en-us/library/cc736874%28v=ws.10%29 This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Microsoft Student Partner 2010 / 2011 Microsoft Certified Professional Microsoft Certified Systems Administrator: Security Microsoft Certified Systems Engineer: Security Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows 7, Configuring Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations Microsoft Certified IT Professional: Enterprise Administrator Microsoft Certified IT Professional: Server Administrator Microsoft Certified Trainer

Hi, strengthen my trust knowledge then tks u guys ... ^_^