Windows Server 2003 introduces cross-forest trusts, the capability of one Active Directory forest to trust another and for users to access resources in a trusting forest. You create and manage these trusts using Active Directory Domains and Trusts. After a trust is established, you can include user and group accounts from a foreign, trusted forest in the access control lists (ACLs) of Active Directory and NTFS permissions.


Internet Authentication Service (IAS), Windows Server 2003's bundled RADIUS-compatible server, is now compatible with cross-forest authentication. An IAS server running in one forest can authenticate dial-in users who have accounts in another, trusted forest.

Cross-forest trusts enable organizations to more easily use forests, rather than domains, as their basic units of security when designing their Active Directory deployments. In the past, Microsoft suggested that domains would be the basic security boundary between parts of an organization with different security requirements. However, the presence of the all-powerful, forest-wide Enterprise Admins groups made many organizations uncomfortable; they felt they needed a way to completely separate the security used by different parts of their organizations. With cross-forest trusts, you can now deploy many more forests within a single organization and use trusts to provide resource access between forests as necessary.

One disadvantage of cross-forest trusts is that they have the potential to create the large, complex webs of trust relationships that made NT domains difficult to manage. If organizations begin to use large numbers of forests, administrators will have to manage the large number of subsequent intraforest trusts.


Keep in mind that cross-forest trusts are available only when the forests involved in the trust are running Windows Server 2003 and are in the Windows Server 2003 forest functional level.