Forest trusts allow cross-forest authentication (Windows 2003)

In Windows 2000, the only way you could allow users to access resources in different forests was to create external trusts. Since such trusts aren't transitive, you had to create trusts between all domains in each forest and performance was slow.

Windows Server 2003 supports forest trusts, a different type of trust relationship between the root domains of two forests. Both NTLM and Kerberos authentication are supported, and if you use Kerberos, the trust is transitive.

What's the catch? Both forests have to be operating at a functional level of Windows Server 2003, and both forests must be able to resolve the fully qualified domain names of each other using DNS.