I believe that the documentation that you are looking for that describes these transitive trusts and the inability to alter them is contained here: From: http://technet2.microsoft.com/WindowsServer/en/library/f5c70774-25cd-4481-8b7a-3d65c86e69b11033.mspx
Automatic Trusts By default, two-way transitive trusts are automatically created when a new domain is added to a domain tree or forest root domain by using the Active Directory Installation Wizard. The two default trust types are parent-child trusts and tree-root trusts. Parent-child trust A parent-child trust relationship is established whenever a new domain is created in a tree. The Active Directory installation process automatically creates a trust relationship between the new domain and the domain that immediately precedes it in the namespace hierarchy (for example, corp.tailspintoys.com is created as the child of tailspintoys.com). The parent-child trust relationship has the following characteristics: * It can exist only between two domains in the same tree and namespace. * The parent domain is always trusted by the child domain. * It must be transitive and two-way. The bidirectional nature of transitive trust relationships allows the global directory information in Active Directory to replicate throughout the hierarchy. Tree-root trust A tree-root trust is established when you add a new domain tree to a forest. The Active Directory installation process automatically creates a trust relationship between the domain you are creating (the new tree root) and the forest root domain. A tree-root trust relationship has the following restrictions: * It can be established only between the roots of two trees in the same forest. * It must be transitive and two-way. Thanks, -Steve ________________________________ From: [EMAIL PROTECTED] on behalf of Matt Hargraves Sent: Sun 7/23/2006 10:09 AM To: [email protected] Subject: Re: [ActiveDir] Domain Trusts. Basically we're looking at creating a resource domain because the objects that need to go in that domain really do need to get out of our current user environment. But if you can't move items into a forest without having an automatic 2-way transitive trust, then we might need to just go with a separate forest. We're looking at other options internally and it's possible that we may not need security isolation for these other domains. Time will tell. You've all been very helpful, thank you. Hopefully MS will state in their documentation at some point in time that these trusts can't be altered so that other people don't have to go "I know it's automatically created when I create the object, but what can I do with the trust" any more :) On 7/22/06, Grillenmeier, Guido <[EMAIL PROTECTED]> wrote: you might want to describe to us what your actual goal is for creating a non-fully trusted domain in your AD forst. Maybe you can reach a similar goal by using the fairly powerful capabilities in AD to delegate administration of objects within a domain. You can also use these features to hide specific parts of AD from the rest of the organization and thus create a "semi-isolated" units within a single AD domain. Note that there is no way to fully isolate any objects within a domain or forest from domain or enterprise admins - if you do need full administrative isolation, you have to create multiple forests. /Guido ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Saturday, July 22, 2006 12:45 AM To: [email protected] Subject: RE: [ActiveDir] Domain Trusts. 1-yep 2-yep Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 <http://26.26.62.80/> * E-mail : <see sender address> ________________________________ From: [EMAIL PROTECTED] on behalf of Matt Hargraves Sent: Sat 2006-07-22 00:35 To: [email protected] Subject: Re: [ActiveDir] Domain Trusts. So basically there's no way to have a domain in a forest that doesn't fully trust every other domain in the forest? The only way to have a non 2-way trust is to make a separate forest? List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
