How to create an external trust between two seperate domains/forests


A trust is a relationship established between two different domains that enables users in one domain to be authenticated by a domain controller in the other domain. There are different type of trust in Microsoft Active Directory domain such as External, Realm, Forest and shortcut. External trust is necessary when users of two different domains of two different business units wants to utilize resources such as printers and file server of trusted domains. This article can be applied in Windows Server 2003, Windows Server 2008/R2, Windows Server 2012/R2 and Windows Server 2016 domain using same principle written below.

Authentication Consideration

Authentication Setting Inter-forest Trust Type Description
Domain-wide Authentication External Permits unrestricted access by any users. Default authentication setting for external trusts.
Forest-wide Authentication Forest Permits unrestricted access by any users. Default authentication setting for forest trusts.
Selective Authentication External and Forest Restricts access over an external Authentication setting must be manually enabled.

Administrative Privilege

To create trust you have to be a member of Domain Admins & Enterprise Admin in both Domains.

Transitive trusts

  • Shortcut trust. A transitive trust between domains in the same domain tree or forest that is used to shorten the trust path in a large and complex domain tree or forest.
  • Forest trust. A transitive trust between one forest root domain and another forest root domain.
  • Realm trust. A transitive trust between an Active Directory domain and a Kerberos V5 realm.

Non-transitive trusts

  • External trust. A non-transitive trust created between a Windows Server 2003 domain and Windows 2000 or Windows Server 2003 domain in another forest.
  • Realm trust. A non-transitive trust between an Active Directory domain and a Kerberos V5 realm.

You have to fulfill few requirements before you can activate external trust. For example: Both domain controller must ping each other by IP address. If both domain controllers are placed in different subnet then proper routing is required. If there is a firewall between domain controllers then proper firewall rules should be in place allowing LDAP, DNS and resources port to be accessible from both sites. Forest and domain functional level must be Windows Server 2003 or later version.

Example:

DC1.DomainA.com  IP address: 192.168.100.2

DC1.DomainB.com  IP address: 192.168.200.2

Step1: Port requirement

If you are using MPLS/IP VPN/VPN make sure inbound and outbound routing are in correct order. If you have firewall between organisation make sure Active Directory ports are open in both sides. Further info on port requirement visit  Active Directory and Active Directory Domain Services Port Requirements

Step2: Add DNS Record in TCP/IP Properties of Domain Controllers

Open TCP/IP Properties of DC1.DomainA.com and add IP address of DC1.DomainB.com in the secondary DNS record.

Open TCP/IP Properties of DC1.DomainB.com and add IP address of DC1.DomainA.com in the secondary DNS record.

Step3: Ping DomainA from DomainB and vice versa

Log on to each domain and ping each other by IP address. Resolve IP without any delay or timed out ping.

Step4: Test AD DS Ports

Telnet to port 389, 636 & 53 from both sides of domain to test whether you can access Active Directory & DNS

Step5: Health Check

Run a quick AD health check in both sides using this Link

Step6: Create PTR Record in both organisation

Add Reverse Lookup Zone of 192.168.200.2 into DC1.DomainA.com. To do this, Right Click on Reverse Lookup Zone>New Zone>Click Next>Primary Zone>Click Next>IPV4 reverse Lookup Zone>Type 192.168.200>Click Next>Finish.

Repeat the step to add 192.168.100.2 PTR into DC1.DomainB.com. To do this, Right Click on Reverse Lookup Zone>New Zone>Click Next>Primary Zone>Click Next>IPV4 reverse Lookup Zone>Type 192.168.100>Click Next>Finish.

Step7: Create Forward Lookup Zones in both organisation

In some DNS environment where DNS have constrained access (situation specific only), you may have to create Forward Lookup Zone for DomainA.com into DomainB.com and Forward Lookup Zone for DomainB.com into DomainA.com. But there is no harm creating a forward lookup zone in both sides as both forests are going to trust each other once trust is activated.

To do this, log on to DomainA.com >Open DNS Manager>Expand Forward Lookup Zone> Right click on Forward Lookup Zones>New Zones>primary Zones>Type FQDN of forest e.g. DomainB.com. >Select Default or select “To all domain controllers in this forest”> Type Zone Name DomainB.com>Allow Secure Dynamic Update>Follow the Wizard.

To do this, log on to DomainB.com >Open DNS Manager>Expand Forward Lookup Zone> Right click on Forward Lookup Zones>New Zones>primary Zones>Type FQDN of forest e.g. DomainA.com. >Select Default or select “To all domain controllers in this forest”> Type Zone Name DomainA.com>Allow Secure Dynamic Update>Follow the Wizard.

Step8: Create Host (A) record in both organisation

Create Host (A) record of Domain Controller of DomainA.com into Domain Controller of DomainB.com. Create Host (A) record of Domain Controller of DomainB.com into Domain Controller of DomainA.com.

To do this Log on to DC1.DomainA.com>Right click on Forward Look Up Zone you created in step 7 which is DomainB.com>Click New Host (A)>Leave the Name Blank> Type IP Address of DC1.DomainB.com & Select Associated PTR Record> Click Add Host.

Repeat the Steps in DomainB.com. To do this log on to DC1.DomainB.com>Right click on Forward Look Up Zone you created in step7 which is DomainA.com>Click New Host (A)>Leave the Name Blank> Type IP Address of DC1.DomainA.com & Select Associated PTR Record> Click Add Host.

Step9: Add Name Server (NS) in both organisation

You must add Name Server of DC1.DomainA.com into the Name Servers Property of DC1.DomainB.com. Repeat the step to add Name Server of DC1.DomainB.com into the Name Servers Property of DC1.DomainA.com.

To do this log on to DC1.DomainA.com>Open DNS Manager>Right click on Forward Look Up Zone of DomainB.com>Click Properties>Click Name Servers Tab>Click Add>Type the IP Address of DC1.DomainB.com.

Repeat the Steps in DomainB.com. To do this log on to DC1.DomainB.com>Open DNS Manager>Right click on Forward Look Up Zone of DomainA.com>Click Properties>Click Name Servers Tab>Click Add>Type the IP address of DC1.DomainA.com.

Step10: Test DNS Record

Ping FQDN of DomainA.com from DomainB.com

Ping FQDN of DomainB.com from DomainA.com

Ping DC1.DomainA.com from DC1.DomainB.com

Ping DC1.DomainB.com from DC1.DomainA.com

Step11: Create External Trust

Example: One way trust allows users from DC1.DomainB.com (outgoing) get access into DC1.DomainA.com (incoming) but DC1.DomainA.com doesn’t get access to DC1.DomainB.com).

Note : if you want both sides get access to both sides then change that configure to two way trusts and set incoming and outgoing in both sides.

Creating incoming trust in DC1.DomainA.com

1. Open Active Directory Domains and Trusts.

2. In the console tree, right-click the domain for which you want to establish a trust, and then click Properties.

3. On the Trusts tab, click New Trust, and then click Next.

4. On the Trust Name page, type the Domain Name System (DNS) name (or NetBIOS name) of the external domain, and then click Next.

5. On the Trust Type page, click External trust, and then click Next.

6. On the Direction of Trust page, click One-way: incoming, and then click Next.

7. On the Sides of Trust page, click This domain only, and then click Next.

8. On the Trust Password page, type the trust password twice, and then click Next.

With the administrator of the other domain, agree on a secure channel password to be used in establishing the trust.

9. On the Trust Selections Complete page, review the results, and then click Next.

10. On the Trust Creation Complete page, review the results, and then click Next.

11. On the Confirm Incoming Trust page, do one of the following

  • If you do not want to confirm this trust, click No, do not confirm the incoming trust
  • If you want to confirm this trust, click Yes, confirm the incoming trust, and then supply the appropriate administrative credentials from the specified domain.

12. On the Completing the New Trust Wizard page, click Finish.

 Creating outgoing trust in DC1.DomainB.com
1. Open Active Directory Domains and Trusts.

2. In the console tree, right-click the domain for which you want to establish a trust, and then click Properties.

3. On the Trusts tab, click New Trust, and then click Next.

4. On the Trust Name page, type the Domain Name System (DNS) name (or NetBIOS name) of the external domain, and then click Next.

5. On the Trust Type page, click External trust, and then click Next.

6. On the Direction of Trust page, click One-way: outgoing, and then click Next.

7. On the Sides of Trust page, click This domain only, and then click Next.

8. On the Outgoing Trust Authentication Level page, do one of the following, and then click Next:

  • Click Domain-wide authentication.
  • Click Selective authentication.

9. On the Trust Password page, type the trust password twice, and then click Next.

10. On the Trust Selections Complete page, review the results, and then click Next.

11. On the Trust Creation Complete page, review the results, and then click Next.

12. On the Confirm Outgoing Trust page, do one of the following:

  • If you do not want to confirm this trust, click No, do not confirm the outgoing trust. Note that if you do not confirm the trust at this stage, the secure channel will not be established until the first time that the trust is used by users.
  • If you want to confirm this trust, click Yes, confirm the outgoing trust, and then supply the appropriate administrative credentials from the specified domain.

13. On the Completing the New Trust Wizard page, click Finish.

 Step12: Test a Trust Relation

  1. Virtualize two Windows clients
  2. Join them to DomainA and DomainB
  3. Create two test folders in DomainA and DomainB
  4. Share and assign permission to users of DomainA and DomainB for both folders.
  5. Log on to a Windows client in DomainA using credential of DomainB>Access folder of DomainA
  6. Log on to a Windows client in DomainB using credential of DomainA>Access folder of DomainB

About Raihan Al-Beruni

My Name is Raihan Al-Beruni. I am working as an Infrastructure Architect in Data Center Technologies in Perth, Western Australia. I have been working on Microsoft technologies for more than 15 years. Other than Microsoft technologies I also work on Citrix validated solution and VMware data center virtualization technologies. I have a Masters degree in E-Commerce. I am certified in Microsoft, VMware, ITIL and EMC. My core focus is on cloud technologies. In my blog I share my knowledge and experience to enrich information technology community as a whole. I hope my contribution through this blog will help someone who wants more information on data center technologies.
Gallery | This entry was posted in Identity and Access Management and tagged , , , , , . Bookmark the permalink.

43 Responses to How to create an external trust between two seperate domains/forests

  1. Sukesh says:

    grt info

    Like

  2. Hans Mulders says:

    Great article but the roles are switched!
    You have the create the incoming trust on DC1 to get access to DNS1 and not the other way like in this article.

    Please change this because is was confused..

    Like

    • trust can be configured so many ways. this is just on test platform.

      Like

      • Hans Mulders says:

        I refer: “One way Trust between two DC. Example: One way trust allows users from dc1 (outgoing) get access to dns1 (incoming) but dns1 doesn’t get access to dc1).”

        In your example scenario you create the incomming on DNS1 this allows DNS1 access to DC1 and not like you discribe above.

        Like

      • James Lewis says:

        Whether the one way trust can be created between 2 RODC

        Like

      • RODC does have any knowledge of Trust Relationship service account. RODC does not know and understand password of upper level domain and forest. so it won’t work. RODC only knows the password and username of it’s nearest writable domain.

        Like

  3. Majid Khan says:

    Ever great Article. I really appreciate it.

    Like

  4. Hamid Tabatabaei says:

    Thanks for you, very very god article – Hamid

    Like

  5. Pradip says:

    Hi,
    is it possible different domain tree in same forest with different subnet?
    Example : I have created new forest abc.com with IP192.168.1.0
    &
    now i want to create new domain tree under same forest by using different IP subnet like 192.168.2.0

    is it possible? if it possible, How ? & need to create a trust between both the domain or it automatically trusted because it is on same forest?

    Thanks & regards,
    Pradip
    09324512620

    Like

  6. EricC says:

    May you please explain to me what is mean by forest? Forest is mean the local lan network or the domain? For example if company A have domain abc.com and domain bcd.com in the same network, isn’t it mean this company have two forest?

    Like

    • EricC says:

      And also is that possible I have 2 domain but one AD? For example, abc.com domain and bcd.com domain, And I storing all the login details in abc.com (AD) and those PC who join in domain bcd.com can using the login details in domain abc to logon their pc.

      Like

      • Yes abc.com and bcd.com are two different forest. to sort out log on between two forest you can create trust relationship between them. Alternatively, you can create domain like sales.abc.com , corp.abc.com , IT.abc.com, marketing.abc.com in this way one user in a single domain can log on to the machine and access resources as necessary.

        Like

  7. STEEL says:

    I have problems when I go from Step 4 to Step 5. At Step 5, I do not get the option to select External/Forest trust. Rather I am getting Realm or Windows Domain. And the step after that says “Cannot Continue” because the specified domain cannot be contacted.

    I guess there is some issue with my DNS. But I have tried to copy the first 4 screen shots on this page. And I can ping Domain2.local from DomainC on Domain1.local.

    Please help !

    Like

    • Are you able to ping domains using FQDN? Did you add DNS record in both domain? Do you have any firewall in between? if so open ports so that domains can communicate with each other.
      I am sure you cant ping each other using FQDN.

      Like

      • Bruno says:

        The same “Cannot continue” “cannot contact external domain” result when I try to set the incoming trust on domain DC1. But the DNS steps from 1 to 10 done as explained and the results are OK. Any other advice?
        Thank you very much for your articles

        Like

      • Are you able to ping both DC by domain name? Do you have any firewall?

        Like

  8. abbas, qamar says:

    For DNS lookup between the domains, it would be simpler if you create Stub Zones in each of the domains to lookup each other.

    Like

  9. Hakikat says:

    Hi,I created two way forest trust between two different forest/domain(abc.com and xyz.com).but the user of ABC not able to log in on xyz machine(Vice-Versa).even both are pinging with each other with FQDN.

    Like

    • On the Windows workstation, do you see two domain on log on prompt. Log on as domain\username. Make sure you have created correct DNS record in both domain. Create both way trust. re-create trust again. do not use realm trust.

      Like

  10. Hakikat says:

    No only single domain name is there.but user can lo-gin when its DC restarts.

    Like

  11. Hakikat says:

    before that windows stuck on welcome screen…..

    Like

  12. Hakikat says:

    I solved by creating secondary zone of each other on respective machines.because the method which you described I was getting trust password authentication error and it was not discovering the another domain.

    Like

  13. Brian says:

    DC1.DomainA.com has IP address 192.168.100.2 .
    DC1.DomainB.com has IP address 192.168.200.2 .
    Both DCs function as DNS servers for their domains.

    For step 8, if I’m logged onto DC1.DomainA.com:

    1) Which Forward Lookup Zone do I right click? DomainA.com or DomainB.com ? (My guess is DomainB.com .)

    2) When I’m adding the record, which IP address do I use? The IP of DC1.DomainA.com or the IP of DC1.DomainB.com ? (My guess is the IP of DC1.DomainB.com .)

    3) When I’m adding the record, what name do I specify? The first field in the New Host dialog says “Name (uses parent domain name if blank):”. (My guess is to leave it blank.)

    For step 9, if I’m logged onto DC1.DomainA.com:

    4) Which Forward Lookup Zone do I right click? DomainA.com or DomainB.com ? (My guess is DomainB.com .)

    5) When I’m adding the record, which IP address do I use? The IP of DC1.DomainA.com or the IP of DC1.DomainB.com ? (My guess is the IP of DC1.DomainB.com .)

    Thanks

    Like

  14. Sander says:

    Nice article!

    Static routing on both machines is easier for your testing purposes.

    On host DC1.DomainA.com IP address: 192.168.100.2

    Start command prompt and type:
    route add 192.168.200.0 MASK 255.255.255.0 192.168.100.2 -P (enter)

    DC1.DomainB.com IP address: 192.168.200.2

    Start command prompt and type:
    route add 192.168.100.0 MASK 255.255.255.0 192.168.200.2 -P (enter)

    Have fun!

    Like

    • If there is firewall between domains. Use firewall device to do the job instead static route in DCs. What happen when an administrator update NIC drivers or change NIC in Hyper-v or delete route. You will loose route. For production environment firewall device should do the job.

      Like

      • Sander says:

        Thats true!
        My comment comes from a testing (study) perspective 😉

        Thanks for you nice Article.

        Like

      • Bruno Finotti says:

        I made correctly all steps from 1 to 10 and can ping domain controller B from A and vice versa using FQDN name, but when I try to set up trust I always get “Cannot continue…cannot contact external domain”.
        Doing DC test DCDIAG /test:dns I get a FAIL error in Record Registration test:
        Summary of DNS test results:
        Auth Basc Forw Del Dyn RReg Ext
        _________________________________________________________________
        Domain: domainB.local
        DControllerB PASS WARN PASS PASS PASS FAIL n/a
        in details checking domain A:
        Error:
        Missing SRV record at DNS server 192.168.1.10:
        _ldap._tcp.domainB.local
        Error:
        Missing SRV record at DNS server 192.168.1.10:
        _ldap._tcp.1f8a5f41-33bc-43c2-b6b4-31d99e9322ee.domains._mscal
        Error:
        Missing SRV record at DNS server 192.168.1.10:
        _kerberos._tcp.dc._msdcs.domainB.local
        Error:
        Missing SRV record at DNS server 192.168.1.10:
        _ldap._tcp.dc._msdcs.domainB.local
        Error:
        Missing SRV record at DNS server 192.168.1.10:
        _kerberos._tcp.domainB.local
        Error:
        Missing SRV record at DNS server 192.168.1.10:
        _kerberos._udp.domainB.local
        Error:
        Missing SRV record at DNS server 192.168.1.10:
        _kpasswd._tcp.domainB.local
        Error:
        Missing SRV record at DNS server 192.168.1.10:
        _ldap._tcp.Default-First-Site-Name._sites.domainB.loc
        Error:
        Missing SRV record at DNS server 192.168.1.10:
        _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.aut
        and the same checkin domain B
        What should I do?
        Thank you again

        Like

      • You have multiple SRV records missing in DNS Server. Either add those SRV records manually or fix the DCs. Connect DNS Server, Expand Forward Lookup Zone, See SRV record in _tcp and DomainDNSZones then _tcp
        Fix domain before creating trust relation.

        Like

      • Bruno Finotti says:

        Thank you for your great support. Actually I must admit I have no idea on how to manually add SRV records. Should I modify the netlogon.dns file with a simple editor? or do you know useful tools to better operate?
        Thank you again and be patient…

        Like

      • Never modify netlogon Use DNS manager to add SRV record
        Follow the directions to access the DNS Manager.
        At the bottom of the Records list, select SRV (Service) from the drop-down list.
        Complete the following fields:
        Service — Enter the service name of this SRV record. The name should begin with an underscore, such as _ldap, _ftp, or _smtp.
        Protocol — Enter the protocol the service uses. The name should begin with an underscore, such as _tcp or _udp.
        Name — Enter the host name or domain name the SRV links to, such as server1. If you want to link the record to your domain name, type @.
        Priority — Select the priority for the SRV record. For multiple records that have the same Name and Service, clients use the priority number to determine which Target to contact first.
        Weight — Select the weight of the SRV record. For multiple records that have the same Name, Service, and Priority, clients use the weight number to determine which Target to contact first.
        Port — Enter the port number for the service, such as 389, 636, 445.
        TTL — Select how long the server should cache the information.
        Click Add Record

        Like

  15. DJ says:

    Great article – exactly what I was looking for!
    CompanyA bought CompanyB. CompanyB users moving to CompanyA systems (on CompanyA domain) and need to access CompanyB resources (file/print).

    Like

  16. Thomas Ketner says:

    Great article. Our trust is complete, and has been running for a while. We are now starting the integration, and need to deploy DCs from both companies to each others physical locations. We currently have each company’s AD sites/site links created in both AD S&S empty, with no subnets assigned to the other companies sites. When we deploy our DC to their Physical site: Do we create a new site on our side, and add the subnet that will host our DC, or add the subnet to their empty site in our AD S&S? There may be cases where they have a DC on that subnet as well. I am guessing if the latter is the case, I need to add all of the other company’s subnets associated with that site as well.

    FYI
    There are no IP conflicts remaining.

    Like

    • You have to create sites and subnets on the either side of fence which means you have to add sites and subnets on the both domainA and domainB. Just because you have trust does not mean you should not add sites and subnets of domain B on to domain A. It does not work that way. You can add subnets before promoting a DC or do it later. Trust is granting permission to access resources from domain A to Domain B or vice-versa.

      Like

  17. Subhash says:

    I have configured Trust, Domain1 and Domain2 (Domain1 is customer end and Domain 2 is in our Datacenter) When we click on Validate Trust on Domain2 it is successful. We have an issue with Member servers wherein I cannot add any service or other account from Domain1. I tried to add security to one of the folder created but no luck. It does’nt even query the Domain1 but when you use nslookup it shows the Domain1 ip.

    Like

  18. Babulal Shaikh says:

    we have some different situation; we are merging four different companies IT as a Single shared services for all. Until Migrate to New unified Domain , want to know can Forest Trust work between 4 – 5 different forest ? if YES, some guidelines or if NO also just need guidelines for consolidation until we migrate all servers to new domain, appreciate and Thanks for your Help

    Like

  19. Zahid says:

    If I am using VMware workstation and want to create a domain trust between 2 forests as a test, are the configuration settings the same or is there anything different that needs to be done, for the 2 forests to see one another.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s