FFoundationalActiveDirectory
Domain trusts define how authentication and access flow between domains and forests in Active Directory. This lesson explains what trusts are, why they exist, how they change the scope of both legitimate access and potential compromise, and how to explain trust relationships clearly in interviews.
A trust in Active Directory is a relationship between two domains that allows users in one domain to authenticate to resources in the other. Trusts exist because organizations often have more than one domain — separate divisions, acquired companies, or partner organizations — and need a way for users to access resources across domain boundaries without maintaining separate accounts in every domain. The trust relationship tells the domain controllers in each domain to accept authentication requests that originate from the trusted domain.
Without a trust, a user in Domain A has no way to authenticate to anything in Domain B. With a trust, the authentication infrastructure bridges the gap. Trusts have three key properties: direction, transitivity, and type — which way authentication flows, whether the trust extends through intermediate domains, and what kind of relationship the trust represents.
Think of trusts as bridges between separate territories. Each domain is its own territory with its own gates and guards (domain controllers). By default, there is no way for someone from one territory to enter another. A trust builds a bridge and tells the guards on the receiving side to accept credentials issued by the other territory's authorities.
The direction of the trust determines which way people can cross: a one-way trust lets users from the trusted domain access resources in the trusting domain, but not the reverse. A two-way trust lets users cross in both directions. Transitivity determines whether the bridge extends through intermediate stops: if Domain A trusts Domain B and Domain B trusts Domain C, a transitive trust means Domain A also trusts Domain C; a non-transitive trust means it does not.
Microsoft · Official Microsoft reference for Active Directory trust types, directions, and transitivity
MITRE · MITRE ATT&CK tactic covering lateral movement — trust abuse is a primary vector for crossing domain and forest boundaries
Trusts determine the boundaries of an Active Directory environment. A single-domain AD has a simple boundary, but most enterprise environments have multiple domains, often in multiple forests, connected by trust relationships that allow users in one domain to access resources in another.
If you cannot explain how trusts work, you cannot reason about whether a compromise in one domain can reach another, which is one of the most critical questions in any multi-domain assessment. Understanding trust direction, transitivity, and the distinction between intra-forest and inter-forest trusts is foundational knowledge that directly shapes how you scope attacks and explain cross-domain risk.
In real assessments, trust relationships determine how far a compromise can reach. When you compromise a child domain, the intra-forest trust (two-way, transitive, no SID filtering) typically means you have a path to the forest root domain — and from there, to every domain in the forest. This is why 'domain compromise' in a multi-domain forest often translates to 'forest compromise.'
When you encounter inter-forest trusts, the situation is more nuanced: SID filtering prevents direct SID injection attacks, but users from the trusted forest may still have explicit permissions in the trusting forest that an attacker can exploit. Explaining trust relationships to clients is critical: they need to understand that their 'separate' domains within the same forest are not security-isolated, and that a trust to a partner organization's forest creates a potential lateral path that both organizations need to manage. The most common misconception you will address is the belief that having separate domains provides security separation. Within a forest, it does not.
Domain trusts are relationships that allow users in one domain to authenticate to resources in another, bridging what would otherwise be completely separate authentication boundaries. Trusts have direction (one-way or two-way), transitivity (whether the trust extends through chains), and type (intra-forest, inter-forest, external).
The most important thing to understand is the difference between intra-forest and inter-forest trusts. Intra-forest trusts are automatic, two-way, transitive, and do not have SID filtering — which means compromising one domain in a forest almost always provides a path to every other domain.The forest is the real security boundary, not the domain. Inter-forest trusts are more restrictive: non-transitive by default and SID-filtered, which limits cross-forest privilege escalation.
But users from one forest may still have explicit permissions in the other, so the trust still expands the attack surface. When I enumerate trusts during an assessment, I am mapping the boundaries: where can this compromise reach, and what stands in the way.