Trust is relationship that is established between domains within a forest or across the forest which allows for sharing of resources and authentication. For example, User-A is created in domain-A. When User-A wants to access resource that’s located in domain-B then, domain-B should trust domain-A before user-A can access resource of domain-B. Some trusts are created automatically whereas some trusts needs to be created manually. When you add additional domain in a single forest transitive trust is automatically created between the domains. So two-way transitive trusts are automatically created between parent and child domain within a forest. In this article, I will show steps to create two-way forest trust in Windows Server 2008 R2. There are different types of trusts.
- Parent Child Trust (Transitive, two-way)
- Tree Root Trust (Transitive, two-way)
- Forest Trust (Transitive, two-way)
- Shortcut Trust (Non-Transitive, one-way)
- External Trust (Transitive, two-way)
- Realm Trust (Non-Transitive, one-way)
Create Two-Way Forest Trust in Windows Server 2008 R2
We have two forests mustbegeek.com and mustbeweb.com as shown in the diagram below. Before creating the trust make sure you have network level reachability between the forests. In production environment, you will most likely create IPSec VPN connection between two sites. Make sure these ports are allowed within the VPN tunnel,
53 TCP/UDP DNS 88 TCP/UDP Kerberos 389 TCP/UDP LDAP 445 TCP SMB 636 TCP LDAP (SSL)135 TCP Trust endpoint resolution
Another important thing is to create conditional forwarding in DNS servers on each forest for DNS resolution to work properly.
Now, to create the two-way forest trust, login to MBG-DC01 domain controller in mustbegeek.com forest. The following steps needs to be completed in WEB-DC01 domain controller in mustbeweb.com forest as well.
- Open Active Directory Domains and Trusts.
- Right-click the domain name and click properties to open the properties of mustbegeek.com domain.
- Select Trusts tab. Click New Trust. New Trust wizard will open. Click Next on the welcome screen.
- In the trust name, type the name of the domain. Type mustbeweb.com domain name. Click Next.
- Choose forest trust. Click Next.
- Choose two-way trust. Click Next.
- Choose this domain only. Click Next.
- Choose forest-wide authentication. Click Next.
- Enter the trust password and click Next.
- Review the configuration and click Next.
- Trust creation has now been complete. As you can see above, two-way forest trust has been created with forest-wide authentication. Click Next.
- In the confirm outgoing trust, choose no, do not confirm the outgoing trust option. Click Next.
- In the confirm incoming trust, choose no, do not confirm the incoming trust option. Click Next.
- The trust relationship has been created successfully in this domain controller. Click Finish.
- You can now view the trust relationship from the trusts tab as shown above.
Now repeat the above steps in WEB-DC01 domain controller in the mustbeweb.com forest. After configuring the trust relationship. You can test by sharing the folder in mustbegeek.com domain and assigning permission to users located at mustbeweb.com.
Users in mustbeweb.com forest can also access resources shared in mustbegeek.com domain.