Skip navigation

JSI Tip 4315. How do I set up a one-way non-transitive trust in Windows 2000?

NOTE: The text in the following Microsoft Knowledge Base article is provided so that the site search can find this page. Please click the Knowledge Base link to insure that you are reading the most current information.

Microsoft Knowledge Base article Q309682 contains:



Windows 2000 domains in the same forest share transitive trust relationships with one another. There is an implicit transitive trust between the root domains in each tree in the Windows 2000 forest. A two-way implicit transitive trust also exists between all contiguous domains in a single tree.

There may be times when you need to create explicit trust relationships between domains. One example is a trust between a Microsoft Windows NT 4.0 and a Windows 2000 domain. Windows NT 4.0 cannot participate in transitive trust relationships with Windows 2000 domains. Another example is when you need domains in disparate forests to trust one another.

Windows 2000 allows you to configure one-way transitive trusts between domains. A one-way transitive trust is especially helpful when you want to run Microsoft Proxy Server 2.0 or Microsoft Internet Security and Acceleration (ISA) Server 2000 in a forest outside of the production forest. A one-way trust from the firewall domain to the production domain allows accounts on the internal domain to be trusted by the external domain, but does not allow external domain accounts to be trusted by the production domain. This article describes how you can set up the one-way non-transitive trust between domains.

back to the top

Configure a One-way Trust

Perform the following steps to configure the one-way trust:
  1. On a domain controller in the trusted domain, start the Active Directory Domains and Trusts console.

  2. In the Domains that trust this domain pane, click Add.

  3. In the Add Trusting Domain dialog box, type the name of the trusting domain, type a password, and then type the password again in the Confirm password box.

  4. Click OK.

  5. In the Active Directory dialog box, click OK to verify the trust.

  6. Enter a user name and password of a user that has permissions to modify trust relationships in the trusting domain.

    You receive a message that states that the trusting domain has been added and the trust verified.

  7. Quit the Active Directory Domains and Trusts console.

  8. On a domain controller in the trusting domain, start the Active Directory Domains and Trusts console.

  9. Right-click the trusting domain and click Properties.

  10. In the Domains trusted by this domain box, click Add.

  11. In the Add Trusted Domain dialog box, type the name of the trusted domain and a password, and then type the password again in the Confirm Password dialog box.

  12. Click OK.

NOTE: The DNS infrastructure must be in place so that domain controllers from each domain can find one another. You can configure Windows NT 4.0 domain trusts by using Windows NT 4.0 User Manager for Domains.

back to the top

Create a One-Way Trust from a Windows NT 4.0 Domain to a Windows 2000 Domain

  1. Add the Windows NT 4.0 domain as a trusting domain in the Windows 2000 Domains and Trusts console as described in steps 1 to 8 in the preceding section.

  2. Start User Manager for Domains on a Windows NT 4.0 domain controller.

  3. On the Policies menu, click Trust Relationships.

  4. In the Trusted Domains pane, click Add.

  5. In the Add Trusted Domain dialog box, type the trusted domain in the Domain box, type a password for the trust in the Password text box, and then click OK.

back to the top

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.