A trust relationship connects two domains and allows users in the trusted domain to access resources in the trusting domain. Groups can contain members from trusted domains. To migrate groups with member accounts from trusted domains, you must first establish the same trust relationships in the target domain as exist in the source domain. These trusts will allow authentication to continue to operate as it did before the migration.
For example, a resource domain usually trusts an account domain. This is usually a one-way trust. When you migrate users from an account domain into a target Windows 2000 domain, the resource domain temporarily remains outside of the forest. To allow the migrated users access to the resources in the resource domain, you must establish a new one-way trust from the resource domain to the target domain in the Windows 2000 forest. This trust will remain active until the resource domain is migrated into the forest and finally decommissioned.
The Trust Migration Wizard does this by comparing the trust relationships in the source domain to the trust relationships in the target domain. The Trust Migration Wizard mirrors in the target domain any trust relationships that exist in the source domain, but not in the target domain. This wizard does not affect any trusts that exist in the target domain, but not in the source domain.
In a typical account domain and resource domain relationship, as shown in the illustration, the Windows NT resource domains trust the source account domain. Resource domains must also trust the new target account domain. This allows users in the account domain to access resources in the resource domains.
Resource domains trust the source account domain. They must also trust the new target account domain.
Before migrating user accounts from the Windows NT account domain to the Windows 2000 target domain, you must create trusts from each of the resource domains that trust the account domain to the Windows 2000 target domain. This will allow user accounts migrated to the target domain to access resources in the resource domains. Once the new trusts are established, you can clone the global groups and the users from the source account domain to the target domain.
Remove trusts to source domain and decommission the source domain.As shown in the illustration, once you have migrated the users and global groups to the target domain, you can decommission the Windows NT 4.0 account domains. Because of the trusts created between the resource domains and the Windows 2000 target domain, the newly cloned users in the target domain can continue to access resources in the resource domains.
For increased manageability, resources can be migrated into organizational units in the target domain.
Resource domains trust the account domain. The target source domain must also trust the account domain.
As shown in the illustration, when migrating a Windows NT 4.0 resource domain, you must create trusts between the target Windows 2000 domain and the account domain trusted by that resource domain. Once the trusts are in place, you can clone the local groups that control access to the various resources, demote the backup domain controllers in the resource domain and, if desired, move them to the new source domain.
Remove trusts to source domain and decommission the source domain.
As shown in the illustration, when all resources have been transferred, you can decommission the original resource domain.