Create transitive forest trusts, Active directory family 20

In actual combat. In the domain trust relationship, we describe how to create a domain trust relationship between two domains. The result of the actual combat is that we have successfully created a trust relationship between itet.com and homeway.com to achieve the desired goal. But we open the Active Directory domain and trust Tools on the domain controller, and we can see from the following figure that the trust relationship between Itet.com and homeway.com is not transitive! This is to arouse our concern.

If the trust relationship between domains is transitive, then we can infer that if a trust B,b trust C, then a must trust C. However, if a domain trust relationship is not transitive, it causes no trust between A and C, and a trust relationship between a and C must be created manually. Obviously, in multi-domain condition, if the number of domains is more, the undeliverable of the trust relationship will bring us a lot of trouble in efficiency. For example, we can calculate that if there are 20 domains, each of the two domains to create a two-way trust relationship, then we will at least create a 20*19/2=190 trust relationship, which is obviously too verbose!

Microsoft has also given the solution to the Win2000 of domain trust, and from the beginning, Microsoft has introduced the concept of domain tree and domain forest. All domains in the same domain tree automatically create two-way transitive trust relationships. A domain in the same domain forest automatically creates a two-way, transitive trust relationship. When Microsoft released Win2003, Microsoft introduced the concept of forest trust, which meant that it could create transitive trusts between two forests and spread transitive trust relationships from one forest to multiple forests.

When we see this, we need to recall the actual combat. The topology diagram in this article of domain trust relationships. Topology as shown in the following illustration, we suddenly realize that itet.com and homeway.com are in a separate domain forest, and that they are the relationships between the domains, so why can't we create transitive forest trusts between the two domains? Recall the process of creating a trust relationship without discovering that you can create a transitive forest trust Ah, why?