5.3. Group Policy with Cross-Forest Trusts

Windows 2003 domains brought a new trust type to the table, a forest trust (also known as a cross-forest trust). The idea is that if you have multiple, unrelated forests, you can join their root domains with one single trust; then, anytime new domains pop up in either forest, there is an automatically implied trust relationship.

To do this requires a large commitment from all parties involved. All domains must be in at least Windows 2003 Functional mode, and all forests must be in Windows 2003 Functional mode. Only then is it possible to create cross-forest trusts via the Active Directory Domains and Trusts utility. For an example of an organization that might use this, see Figure 5.7.

In this example, ...

Get Group Policy: Fundamentals, Security, and Troubleshooting now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.