A. When you manually create trusts, you can select one of two authentication protocols.

  • Kerberos—The Kerberos V5 authentication protocol is the default authentication service for Windows 2000. You use it to verify that a user/host is who it says it is. This protocol is used for trusts between domains in a tree and between the root domains in a forest.
  • NT LAN Manager (NTLM)—The NTLM authentication protocol is the default for network authentication in Windows NT 4.0 and earlier, but Win2K still supports it (although not as the default). NTLM is a challenge/response authentication protocol.

A transitive Kerberos-based trust links domains WITHIN a forest. Thus, when you create a trust between two domains in different forests, you can select only NTLM because Kerberos isn't available for cross-forest trust relationships. This limitation isn't a Kerberos one, but a limitation of the Microsoft implementation. If you use a third-party Kerberos implementation (e.g., MIT), you can use Kerberos for cross-forest trusts.