Information on the Transitivity of a Kerberos Realm Trust

This article discusses the transitivity of a trust formed between a Microsoft Windows 2000 domain and a Kerberos realm.

When you create a trust between a Windows 2000 domain and a Kerberos realm, that trust is non-transitive. This means that only clients and servers that are in the immediate domain of the trust object can use this trust. Child domains are not able to use the trust.

In order for child domains to use the trust object, you must change the trust object from non-transitive to transitive. You can do this with the Netdom.exe tool found in the Windows 2000 Resource Kit. You can change a specific trust to be transitive by using the "netdom trust" and "transitive:yes" options.