Create Two-Way Forest Trust in Windows Server 2008 R2

Spread the love

Trust is relationship that is established between domains within a forest or across the forest which allows for sharing of resources and authentication. For example, User-A is created in domain-A. When User-A wants to access resource that’s located in domain-B then, domain-B should trust domain-A before user-A can access resource of domain-B. Some trusts are created automatically whereas some trusts needs to be created manually. When you add additional domain in a single forest transitive trust is automatically created between the domains. So two-way transitive trusts are automatically created between parent and child domain within a forest. In this article, I will show steps to create two-way forest trust in Windows Server 2008 R2. There are different types of trusts: –

  • Parent Child Trust (Transitive, two-way)
  • Tree Root Trust (Transitive, two-way)
  • Forest Trust (Transitive, two-way)
  • Shortcut Trust (Non-Transitive, one-way)
  • External Trust (Transitive, two-way)
  • Realm Trust (Non-Transitive, one-way)

Create Two-Way Forest Trust in Windows Server 2008 R2

We have two forests and as shown in the diagram below. Before creating the trust make sure you have network level reachability between the forests. In production environment, you will most likely create IPSec VPN connection between two sites. Make sure these ports are allowed within the VPN tunnel,

88   TCP/UDP  Kerberos
445  TCP      SMB
636  TCP      LDAP (SSL)
135 TCP Trust endpoint resolution

Another important thing is to create conditional forwarding in DNS servers on each forest for DNS resolution to work properly.


Now, to create the two-way forest trust, login to MBG-DC01 domain controller in forest. The following steps needs to be completed in WEB-DC01 domain controller in forest as well.

  1. Open Active Directory Domains and Trusts.
    Create Two-Way Forest Trust in Windows Server 2008 R2
  2. Right-click the domain name and click properties to open the properties of domain.
  3. Select Trusts tab. Click New Trust. New Trust wizard will open. Click Next on the welcome screen.
  4. In the trust name, type the name of the domain. Type domain name. Click Next.
  5. Choose forest trust. Click Next.
  6. Choose two-way trust. Click Next.
  7. Choose this domain only. Click Next.
  8. Choose forest-wide authentication. Click Next.
  9. Enter the trust password and click Next.
  10. Review the configuration and click Next.
  11. Trust creation has now been complete. As you can see above, two-way forest trust has been created with forest-wide authentication. Click Next.
  12. In the confirm outgoing trust, choose no, do not confirm the outgoing trust option. Click Next.
  13. In the confirm incoming trust, choose no, do not confirm the incoming trust option. Click Next.
  14. The trust relationship has been created successfully in this domain controller. Click Finish.
  15. You can now view the trust relationship from the trusts tab as shown above.

Now repeat the above steps in WEB-DC01 domain controller in the forest. After configuring the trust relationship. You can test by sharing the folder in domain and assigning permission to users located at


Users in forest can also access resources shared in domain.


The following two tabs change content below.
Bipin is a freelance Network and System Engineer with expertise on Cisco, Juniper, Microsoft, VMware, and other technologies. You can hire him on UpWork. Bipin enjoys writing articles and tutorials related to Network technologies. Some of his certifications are, MCSE:Messaging, JNCIP-SEC, JNCIS-ENT, and others.

Latest posts by Bipin (see all)

scroll to top