I'm working on trouble shooting an application under development that uses information from Active Directory in a multi-forest environment and I have the current problem down to figuring out if forest trusts are transitive, and if so under what conditions.
The setup: Using Active Directory 2003, ForestA has a two-way forest trust with ForestB. ForestB has a two-way forest trust with ForestC.
In this situation is there any sort of trust relationship between ForestA and ForestC? I've found some conflicting informaion; this first link clearly indicates the forest trust in not transitive to other forests:
Forest trusts can only be created between two forests and cannot be implicitly extended to a third forest. This means that if a forest trust is created between forest 1 and forest 2, and a forest trust is also created between forest 2 and forest 3, forest 1 will not have an implicit trust with forest 3.
However, I can also find in the list of trust types an indication that forest trusts are transitive:
Trust type: Forest Transitivity: Transitive
On top of this forest trusts show as "transitive" in the list of active directory trusts when viewed through "Manage domains and trusts"
Does this mean that the forest trust is transitive WITHIN the trusting forest but not to other forests? So in the previously mentioned scenario:
ForestA <-> ForestB <-> ForestC
Subdomains would pick up the forest trust through transitivity (so subdom1.ForestA would trust office7.ForestB) but there would be access shared between ForestA and ForestB. Is this correct, or have I become confused by the rather confusing information microsoft publishes? Does anyone have personal experience of this that they can share?
Specifically, I believe the "transitive" in Microsoft's Transitive Forest Trusts is for the domains within each forest rather than forest-to-forest-to-forest.
E.g.
Forest 1 with root domain A, and two child domains B and C Forest 2 with root domain X, and two child domains Y and Z
With a transitive forest trust domain Z would trust domain C automatically, without needing to create a direct trust link (shortcut trust).