Create Two-Way Forest Trust in Windows Server 2008 R2

Spread the love




Trust is relationship that is established between domains within a forest or across the forest which allows for sharing of resources and authentication. For example, User-A is created in domain-A. When User-A wants to access resource that’s located in domain-B then, domain-B should trust domain-A before user-A can access resource of domain-B. Some trusts are created automatically whereas some trusts needs to be created manually. When you add additional domain in a single forest transitive trust is automatically created between the domains. So two-way transitive trusts are automatically created between parent and child domain within a forest. In this article, I will show steps to create two-way forest trust in Windows Server 2008 R2. There are different types of trusts: –

  • Parent Child Trust (Transitive, two-way)
  • Tree Root Trust (Transitive, two-way)
  • Forest Trust (Transitive, two-way)
  • Shortcut Trust (Non-Transitive, one-way)
  • External Trust (Transitive, two-way)
  • Realm Trust (Non-Transitive, one-way)

Create Two-Way Forest Trust in Windows Server 2008 R2

We have two forests mustbegeek.com and mustbeweb.com as shown in the diagram below. Before creating the trust make sure you have network level reachability between the forests. In production environment, you will most likely create IPSec VPN connection between two sites. Make sure these ports are allowed within the VPN tunnel,

53   TCP/UDP  DNS
88   TCP/UDP  Kerberos
389  TCP/UDP  LDAP
445  TCP      SMB
636  TCP      LDAP (SSL)
135 TCP Trust endpoint resolution

Another important thing is to create conditional forwarding in DNS servers on each forest for DNS resolution to work properly.

trusts



Now, to create the two-way forest trust, login to MBG-DC01 domain controller in mustbegeek.com forest. The following steps needs to be completed in WEB-DC01 domain controller in mustbeweb.com forest as well.

  1. Open Active Directory Domains and Trusts.
    Create Two-Way Forest Trust in Windows Server 2008 R2
  2. Right-click the domain name and click properties to open the properties of mustbegeek.com domain.
    trust
  3. Select Trusts tab. Click New Trust. New Trust wizard will open. Click Next on the welcome screen.
    trust-domain
  4. In the trust name, type the name of the domain. Type mustbeweb.com domain name. Click Next.
    forest-trust
  5. Choose forest trust. Click Next.
    two-way
  6. Choose two-way trust. Click Next.
    this-domain
  7. Choose this domain only. Click Next.
    forest-wide
  8. Choose forest-wide authentication. Click Next.
    trust-password
  9. Enter the trust password and click Next.
    complete
  10. Review the configuration and click Next.
    trust-complete
  11. Trust creation has now been complete. As you can see above, two-way forest trust has been created with forest-wide authentication. Click Next.
    confirm-outgoing-trust
  12. In the confirm outgoing trust, choose no, do not confirm the outgoing trust option. Click Next.
    incoming-trust
  13. In the confirm incoming trust, choose no, do not confirm the incoming trust option. Click Next.
    finish
  14. The trust relationship has been created successfully in this domain controller. Click Finish.
    trusts-mustbegeek
  15. You can now view the trust relationship from the trusts tab as shown above.

Now repeat the above steps in WEB-DC01 domain controller in the mustbeweb.com forest. After configuring the trust relationship. You can test by sharing the folder in mustbegeek.com domain and assigning permission to users located at mustbeweb.com.

folder-sharing

Users in mustbeweb.com forest can also access resources shared in mustbegeek.com domain.

 




The following two tabs change content below.
Bipin is a freelance Network and System Engineer with expertise on Cisco, Juniper, Microsoft, VMware, and other technologies. You can hire him on UpWork. Bipin enjoys writing articles and tutorials related to Network technologies. Some of his certifications are, MCSE:Messaging, JNCIP-SEC, JNCIS-ENT, and others.

Latest posts by Bipin (see all)

scroll to top