The document discusses security aspects of establishing Active Directory trust relationships between the customer’s Active Directory forest and other domains/forests. The primary use case has users from an external AD domain accessing their Exchange mailboxes hosted on servers in the company domain (“dir.company.com”) with Kerberos as the preferred authentication protocol. In Active Directory terminology the direction of trust is opposite to the direction of access, thus the company’s forest (“dir.company.com”) needs to trust the partner’s AD domain. The document hence focuses on the scenario of a one-way trust where the dir.company.com (=”company”) AD-forest trusts the partner’s AD forest, but not the other way around.