How to create a Forest Trust in Windows Server 2008 R2

 

Prerequisites

Before a trust can be established, DNS must be setup between the two domains; this can be accomplished in a few different ways by either using stub zones, conditional forwarders, or active directory federation services.   Also, the two domains must have the same or close to the same forest functional level.  You can check the forest functional level by going to Administrative Tools -> Active Directory Domains and Trusts.  Then, right-click on the forest root and select Raise Forest Functional Level.

Tutorial

1. Go into Active Directory Domains and Trusts inside of Administrative Tools.  Once inside you should see something similar to the next screen.  Right-click the domain you would like to create a trust for and select Properties.  In this tutorial, the domain we will create a trust for is called misdivision.net.

2.  Inside of properties, select the Trusts tab.  You should see something like the next screen.  Select New Trust.

3.  This is the New Trust Wizard.  Select Next.

4.  In this tutorial we are going to create a forest trust.  For a forest trust, the trust name must be a DNS name.  We are going to create a trust with a domain called globodivision.com.  Select Next after specifying the trust name.

5.  Here you select the trust type.  A forest trust, the one we are creating, creates a transitive trust between all users on both forests specified by both forest root domains.  The other option is to create an external trust between just the two domains; external trusts are non-transitive.  Select Forest Trust and then select Next.

6.  Here you specify the direction of the trust.  A two-way trust means users in both domains can be authenticated on the other domain.  One-way means that one domain’s users can be authenticated on the other domain, but not the other way around.  One-way trusts can be established as incoming or outgoing, meaning that they can be setup one-way for the domain you are setting up the trust on currently or the other domain.  Select Two-way and select Next.

7.  Here you can set up the trust on this domain or both domains involved in the trust.  Select Both this domain and the specified domain.  You can only do this if you have credentials for the other domain.  If you do not have credentials for the other domain, you would have to get an administrator for the other domain to create the other side of the trust.  Select Next.

8.  Input administrative credentials for the other domain to automatically establish the other side of the trust on that domain.  Select Next when finished.

9.  Here you can specify whether local forest users will automatically be authenticated for all resources on the other domain or selectively be authenticated for resources on the other domain.  Forest-wide authentication is generally recommended for users within the same organization.  Select Forest-wide authentication and select Next.  The next screen is similar but it is for the specified forest.  Again, Select Forest-wide authentication and select Next.

10.  You can review the selections you have made here.  Select Next when you have verified they are the selections you wanted.

11.  If your trust was created successfully, you will see this next screen.  There are a few reasons that you may not be able to set up a trust.  DNS between the domains may not be set up properly; make sure that name servers on one domain can access servers on the other domain.  Make sure you have the correct administrator credentials for the other domain.  In a lab environment, you may not be able to set up a trust if two virtual machines were deployed from the same server template.

12.  The next few screens of the wizard will ask if you want to confirm both sides of the trust.  Select Yes for both and select Next.

13.  This is the last screen of the wizard.  Select Finish after verifying the changes.

The new trust now appears under Trusts in the properties of misdivision.net.

On the domain controller of the other domain, you can verify that the trust was created by going to Administrative Tools -> Active Directory Domains and Trusts, right-click the domain, and select the Trusts tab under Properties.  The other side of the trust was created automatically because we selected the Both this domain and the specified domain option in Step 7.

Once the trust has been established, you will be able to grant permissions to users to access resources on the other, trusted domain or add users to groups with permissions on the other domain.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s