A trust is a relationship established between two different domains that enables users in one domain to be authenticated by a domain controller in the other domain. There are different type of trust in Microsoft Active Directory domain such as External, Realm, Forest and shortcut. External trust is necessary when users of two different domains of two different business units wants to utilize resources such as printers and file server of trusted domains. This article can be applied in Windows Server 2003, Windows Server 2008/R2, Windows Server 2012/R2 and Windows Server 2016 domain using same principle written below.
Authentication Consideration
Authentication Setting | Inter-forest Trust Type | Description |
Domain-wide Authentication | External | Permits unrestricted access by any users. Default authentication setting for external trusts. |
Forest-wide Authentication | Forest | Permits unrestricted access by any users. Default authentication setting for forest trusts. |
Selective Authentication | External and Forest | Restricts access over an external Authentication setting must be manually enabled. |
Administrative Privilege
To create trust you have to be a member of Domain Admins & Enterprise Admin in both Domains.
Transitive trusts
- Shortcut trust. A transitive trust between domains in the same domain tree or forest that is used to shorten the trust path in a large and complex domain tree or forest.
- Forest trust. A transitive trust between one forest root domain and another forest root domain.
- Realm trust. A transitive trust between an Active Directory domain and a Kerberos V5 realm.
Non-transitive trusts
- External trust. A non-transitive trust created between a Windows Server 2003 domain and Windows 2000 or Windows Server 2003 domain in another forest.
- Realm trust. A non-transitive trust between an Active Directory domain and a Kerberos V5 realm.
You have to fulfill few requirements before you can activate external trust. For example: Both domain controller must ping each other by IP address. If both domain controllers are placed in different subnet then proper routing is required. If there is a firewall between domain controllers then proper firewall rules should be in place allowing LDAP, DNS and resources port to be accessible from both sites. Forest and domain functional level must be Windows Server 2003 or later version.
Example:
DC1.DomainA.com IP address: 192.168.100.2
DC1.DomainB.com IP address: 192.168.200.2
Step1: Port requirement
If you are using MPLS/IP VPN/VPN make sure inbound and outbound routing are in correct order. If you have firewall between organisation make sure Active Directory ports are open in both sides. Further info on port requirement visit Active Directory and Active Directory Domain Services Port Requirements
Step2: Add DNS Record in TCP/IP Properties of Domain Controllers
Open TCP/IP Properties of DC1.DomainA.com and add IP address of DC1.DomainB.com in the secondary DNS record.
Open TCP/IP Properties of DC1.DomainB.com and add IP address of DC1.DomainA.com in the secondary DNS record.
Step3: Ping DomainA from DomainB and vice versa
Log on to each domain and ping each other by IP address. Resolve IP without any delay or timed out ping.
Step4: Test AD DS Ports
Telnet to port 389, 636 & 53 from both sides of domain to test whether you can access Active Directory & DNS
Step5: Health Check
Run a quick AD health check in both sides using this Link
Step6: Create PTR Record in both organisation
Add Reverse Lookup Zone of 192.168.200.2 into DC1.DomainA.com. To do this, Right Click on Reverse Lookup Zone>New Zone>Click Next>Primary Zone>Click Next>IPV4 reverse Lookup Zone>Type 192.168.200>Click Next>Finish.
Repeat the step to add 192.168.100.2 PTR into DC1.DomainB.com. To do this, Right Click on Reverse Lookup Zone>New Zone>Click Next>Primary Zone>Click Next>IPV4 reverse Lookup Zone>Type 192.168.100>Click Next>Finish.
Step7: Create Forward Lookup Zones in both organisation
In some DNS environment where DNS have constrained access (situation specific only), you may have to create Forward Lookup Zone for DomainA.com into DomainB.com and Forward Lookup Zone for DomainB.com into DomainA.com. But there is no harm creating a forward lookup zone in both sides as both forests are going to trust each other once trust is activated.
To do this, log on to DomainA.com >Open DNS Manager>Expand Forward Lookup Zone> Right click on Forward Lookup Zones>New Zones>primary Zones>Type FQDN of forest e.g. DomainB.com. >Select Default or select “To all domain controllers in this forest”> Type Zone Name DomainB.com>Allow Secure Dynamic Update>Follow the Wizard.
To do this, log on to DomainB.com >Open DNS Manager>Expand Forward Lookup Zone> Right click on Forward Lookup Zones>New Zones>primary Zones>Type FQDN of forest e.g. DomainA.com. >Select Default or select “To all domain controllers in this forest”> Type Zone Name DomainA.com>Allow Secure Dynamic Update>Follow the Wizard.
Step8: Create Host (A) record in both organisation
Create Host (A) record of Domain Controller of DomainA.com into Domain Controller of DomainB.com. Create Host (A) record of Domain Controller of DomainB.com into Domain Controller of DomainA.com.
To do this Log on to DC1.DomainA.com>Right click on Forward Look Up Zone you created in step 7 which is DomainB.com>Click New Host (A)>Leave the Name Blank> Type IP Address of DC1.DomainB.com & Select Associated PTR Record> Click Add Host.
Repeat the Steps in DomainB.com. To do this log on to DC1.DomainB.com>Right click on Forward Look Up Zone you created in step7 which is DomainA.com>Click New Host (A)>Leave the Name Blank> Type IP Address of DC1.DomainA.com & Select Associated PTR Record> Click Add Host.
Step9: Add Name Server (NS) in both organisation
You must add Name Server of DC1.DomainA.com into the Name Servers Property of DC1.DomainB.com. Repeat the step to add Name Server of DC1.DomainB.com into the Name Servers Property of DC1.DomainA.com.
To do this log on to DC1.DomainA.com>Open DNS Manager>Right click on Forward Look Up Zone of DomainB.com>Click Properties>Click Name Servers Tab>Click Add>Type the IP Address of DC1.DomainB.com.
Repeat the Steps in DomainB.com. To do this log on to DC1.DomainB.com>Open DNS Manager>Right click on Forward Look Up Zone of DomainA.com>Click Properties>Click Name Servers Tab>Click Add>Type the IP address of DC1.DomainA.com.
Step10: Test DNS Record
Ping FQDN of DomainA.com from DomainB.com
Ping FQDN of DomainB.com from DomainA.com
Ping DC1.DomainA.com from DC1.DomainB.com
Ping DC1.DomainB.com from DC1.DomainA.com
Step11: Create External Trust
Example: One way trust allows users from DC1.DomainB.com (outgoing) get access into DC1.DomainA.com (incoming) but DC1.DomainA.com doesn’t get access to DC1.DomainB.com).
Note : if you want both sides get access to both sides then change that configure to two way trusts and set incoming and outgoing in both sides.
Creating incoming trust in DC1.DomainA.com
1. Open Active Directory Domains and Trusts.
2. In the console tree, right-click the domain for which you want to establish a trust, and then click Properties.
3. On the Trusts tab, click New Trust, and then click Next.
4. On the Trust Name page, type the Domain Name System (DNS) name (or NetBIOS name) of the external domain, and then click Next.
5. On the Trust Type page, click External trust, and then click Next.
6. On the Direction of Trust page, click One-way: incoming, and then click Next.
7. On the Sides of Trust page, click This domain only, and then click Next.
8. On the Trust Password page, type the trust password twice, and then click Next.
With the administrator of the other domain, agree on a secure channel password to be used in establishing the trust.
9. On the Trust Selections Complete page, review the results, and then click Next.
10. On the Trust Creation Complete page, review the results, and then click Next.
11. On the Confirm Incoming Trust page, do one of the following
- If you do not want to confirm this trust, click No, do not confirm the incoming trust
- If you want to confirm this trust, click Yes, confirm the incoming trust, and then supply the appropriate administrative credentials from the specified domain.
12. On the Completing the New Trust Wizard page, click Finish.
Creating outgoing trust in DC1.DomainB.com
1. Open Active Directory Domains and Trusts.
2. In the console tree, right-click the domain for which you want to establish a trust, and then click Properties.
3. On the Trusts tab, click New Trust, and then click Next.
4. On the Trust Name page, type the Domain Name System (DNS) name (or NetBIOS name) of the external domain, and then click Next.
5. On the Trust Type page, click External trust, and then click Next.
6. On the Direction of Trust page, click One-way: outgoing, and then click Next.
7. On the Sides of Trust page, click This domain only, and then click Next.
8. On the Outgoing Trust Authentication Level page, do one of the following, and then click Next:
- Click Domain-wide authentication.
- Click Selective authentication.
9. On the Trust Password page, type the trust password twice, and then click Next.
10. On the Trust Selections Complete page, review the results, and then click Next.
11. On the Trust Creation Complete page, review the results, and then click Next.
12. On the Confirm Outgoing Trust page, do one of the following:
- If you do not want to confirm this trust, click No, do not confirm the outgoing trust. Note that if you do not confirm the trust at this stage, the secure channel will not be established until the first time that the trust is used by users.
- If you want to confirm this trust, click Yes, confirm the outgoing trust, and then supply the appropriate administrative credentials from the specified domain.
13. On the Completing the New Trust Wizard page, click Finish.
Step12: Test a Trust Relation
- Virtualize two Windows clients
- Join them to DomainA and DomainB
- Create two test folders in DomainA and DomainB
- Share and assign permission to users of DomainA and DomainB for both folders.
- Log on to a Windows client in DomainA using credential of DomainB>Access folder of DomainA
- Log on to a Windows client in DomainB using credential of DomainA>Access folder of DomainB
grt info
LikeLike
Great article but the roles are switched!
You have the create the incoming trust on DC1 to get access to DNS1 and not the other way like in this article.
Please change this because is was confused..
LikeLike
trust can be configured so many ways. this is just on test platform.
LikeLike
I refer: “One way Trust between two DC. Example: One way trust allows users from dc1 (outgoing) get access to dns1 (incoming) but dns1 doesn’t get access to dc1).”
In your example scenario you create the incomming on DNS1 this allows DNS1 access to DC1 and not like you discribe above.
LikeLike
Whether the one way trust can be created between 2 RODC
LikeLike
RODC does have any knowledge of Trust Relationship service account. RODC does not know and understand password of upper level domain and forest. so it won’t work. RODC only knows the password and username of it’s nearest writable domain.
LikeLike
Ever great Article. I really appreciate it.
LikeLike
Good article, it helped me to configure exactly I needed.
LikeLike
Thanks for you, very very god article – Hamid
LikeLike
Hi,
is it possible different domain tree in same forest with different subnet?
Example : I have created new forest abc.com with IP192.168.1.0
&
now i want to create new domain tree under same forest by using different IP subnet like 192.168.2.0
is it possible? if it possible, How ? & need to create a trust between both the domain or it automatically trusted because it is on same forest?
Thanks & regards,
Pradip
09324512620
LikeLike
Yes Possible. On the Active Directory Sites and services, create a site and assign subnet 192.168.2.0. now promote a Dc using 192.168.2.0 IP range. thats all you have to do
LikeLike
May you please explain to me what is mean by forest? Forest is mean the local lan network or the domain? For example if company A have domain abc.com and domain bcd.com in the same network, isn’t it mean this company have two forest?
LikeLike
And also is that possible I have 2 domain but one AD? For example, abc.com domain and bcd.com domain, And I storing all the login details in abc.com (AD) and those PC who join in domain bcd.com can using the login details in domain abc to logon their pc.
LikeLike
Yes abc.com and bcd.com are two different forest. to sort out log on between two forest you can create trust relationship between them. Alternatively, you can create domain like sales.abc.com , corp.abc.com , IT.abc.com, marketing.abc.com in this way one user in a single domain can log on to the machine and access resources as necessary.
LikeLike
I have problems when I go from Step 4 to Step 5. At Step 5, I do not get the option to select External/Forest trust. Rather I am getting Realm or Windows Domain. And the step after that says “Cannot Continue” because the specified domain cannot be contacted.
I guess there is some issue with my DNS. But I have tried to copy the first 4 screen shots on this page. And I can ping Domain2.local from DomainC on Domain1.local.
Please help !
LikeLike
Are you able to ping domains using FQDN? Did you add DNS record in both domain? Do you have any firewall in between? if so open ports so that domains can communicate with each other.
I am sure you cant ping each other using FQDN.
LikeLike
The same “Cannot continue” “cannot contact external domain” result when I try to set the incoming trust on domain DC1. But the DNS steps from 1 to 10 done as explained and the results are OK. Any other advice?
Thank you very much for your articles
LikeLike
Are you able to ping both DC by domain name? Do you have any firewall?
LikeLike
For DNS lookup between the domains, it would be simpler if you create Stub Zones in each of the domains to lookup each other.
LikeLike
Hi,I created two way forest trust between two different forest/domain(abc.com and xyz.com).but the user of ABC not able to log in on xyz machine(Vice-Versa).even both are pinging with each other with FQDN.
LikeLike
On the Windows workstation, do you see two domain on log on prompt. Log on as domain\username. Make sure you have created correct DNS record in both domain. Create both way trust. re-create trust again. do not use realm trust.
LikeLike
No only single domain name is there.but user can lo-gin when its DC restarts.
LikeLike
before that windows stuck on welcome screen…..
LikeLike
I solved by creating secondary zone of each other on respective machines.because the method which you described I was getting trust password authentication error and it was not discovering the another domain.
LikeLike
No article/ blog address individual situation. This is not a situation specific solution but a learning process how to create a trust relation.
LikeLike
DC1.DomainA.com has IP address 192.168.100.2 .
DC1.DomainB.com has IP address 192.168.200.2 .
Both DCs function as DNS servers for their domains.
For step 8, if I’m logged onto DC1.DomainA.com:
1) Which Forward Lookup Zone do I right click? DomainA.com or DomainB.com ? (My guess is DomainB.com .)
2) When I’m adding the record, which IP address do I use? The IP of DC1.DomainA.com or the IP of DC1.DomainB.com ? (My guess is the IP of DC1.DomainB.com .)
3) When I’m adding the record, what name do I specify? The first field in the New Host dialog says “Name (uses parent domain name if blank):”. (My guess is to leave it blank.)
For step 9, if I’m logged onto DC1.DomainA.com:
4) Which Forward Lookup Zone do I right click? DomainA.com or DomainB.com ? (My guess is DomainB.com .)
5) When I’m adding the record, which IP address do I use? The IP of DC1.DomainA.com or the IP of DC1.DomainB.com ? (My guess is the IP of DC1.DomainB.com .)
Thanks
LikeLike
Yes you are correct. If I wrote this article like above you mentioned than that would be spoon feeding which I did not want to do. But I appreciate your assumption.
LikeLike
Nice article!
Static routing on both machines is easier for your testing purposes.
On host DC1.DomainA.com IP address: 192.168.100.2
Start command prompt and type:
route add 192.168.200.0 MASK 255.255.255.0 192.168.100.2 -P (enter)
DC1.DomainB.com IP address: 192.168.200.2
Start command prompt and type:
route add 192.168.100.0 MASK 255.255.255.0 192.168.200.2 -P (enter)
Have fun!
LikeLike
If there is firewall between domains. Use firewall device to do the job instead static route in DCs. What happen when an administrator update NIC drivers or change NIC in Hyper-v or delete route. You will loose route. For production environment firewall device should do the job.
LikeLike
Thats true!
My comment comes from a testing (study) perspective 😉
Thanks for you nice Article.
LikeLike
I made correctly all steps from 1 to 10 and can ping domain controller B from A and vice versa using FQDN name, but when I try to set up trust I always get “Cannot continue…cannot contact external domain”.
Doing DC test DCDIAG /test:dns I get a FAIL error in Record Registration test:
Summary of DNS test results:
Auth Basc Forw Del Dyn RReg Ext
_________________________________________________________________
Domain: domainB.local
DControllerB PASS WARN PASS PASS PASS FAIL n/a
in details checking domain A:
Error:
Missing SRV record at DNS server 192.168.1.10:
_ldap._tcp.domainB.local
Error:
Missing SRV record at DNS server 192.168.1.10:
_ldap._tcp.1f8a5f41-33bc-43c2-b6b4-31d99e9322ee.domains._mscal
Error:
Missing SRV record at DNS server 192.168.1.10:
_kerberos._tcp.dc._msdcs.domainB.local
Error:
Missing SRV record at DNS server 192.168.1.10:
_ldap._tcp.dc._msdcs.domainB.local
Error:
Missing SRV record at DNS server 192.168.1.10:
_kerberos._tcp.domainB.local
Error:
Missing SRV record at DNS server 192.168.1.10:
_kerberos._udp.domainB.local
Error:
Missing SRV record at DNS server 192.168.1.10:
_kpasswd._tcp.domainB.local
Error:
Missing SRV record at DNS server 192.168.1.10:
_ldap._tcp.Default-First-Site-Name._sites.domainB.loc
Error:
Missing SRV record at DNS server 192.168.1.10:
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.aut
and the same checkin domain B
What should I do?
Thank you again
LikeLike
You have multiple SRV records missing in DNS Server. Either add those SRV records manually or fix the DCs. Connect DNS Server, Expand Forward Lookup Zone, See SRV record in _tcp and DomainDNSZones then _tcp
Fix domain before creating trust relation.
LikeLike
Thank you for your great support. Actually I must admit I have no idea on how to manually add SRV records. Should I modify the netlogon.dns file with a simple editor? or do you know useful tools to better operate?
Thank you again and be patient…
LikeLike
Never modify netlogon Use DNS manager to add SRV record
Follow the directions to access the DNS Manager.
At the bottom of the Records list, select SRV (Service) from the drop-down list.
Complete the following fields:
Service — Enter the service name of this SRV record. The name should begin with an underscore, such as _ldap, _ftp, or _smtp.
Protocol — Enter the protocol the service uses. The name should begin with an underscore, such as _tcp or _udp.
Name — Enter the host name or domain name the SRV links to, such as server1. If you want to link the record to your domain name, type @.
Priority — Select the priority for the SRV record. For multiple records that have the same Name and Service, clients use the priority number to determine which Target to contact first.
Weight — Select the weight of the SRV record. For multiple records that have the same Name, Service, and Priority, clients use the weight number to determine which Target to contact first.
Port — Enter the port number for the service, such as 389, 636, 445.
TTL — Select how long the server should cache the information.
Click Add Record
LikeLike
Great article – exactly what I was looking for!
CompanyA bought CompanyB. CompanyB users moving to CompanyA systems (on CompanyA domain) and need to access CompanyB resources (file/print).
LikeLike
Great article. Our trust is complete, and has been running for a while. We are now starting the integration, and need to deploy DCs from both companies to each others physical locations. We currently have each company’s AD sites/site links created in both AD S&S empty, with no subnets assigned to the other companies sites. When we deploy our DC to their Physical site: Do we create a new site on our side, and add the subnet that will host our DC, or add the subnet to their empty site in our AD S&S? There may be cases where they have a DC on that subnet as well. I am guessing if the latter is the case, I need to add all of the other company’s subnets associated with that site as well.
FYI
There are no IP conflicts remaining.
LikeLike
You have to create sites and subnets on the either side of fence which means you have to add sites and subnets on the both domainA and domainB. Just because you have trust does not mean you should not add sites and subnets of domain B on to domain A. It does not work that way. You can add subnets before promoting a DC or do it later. Trust is granting permission to access resources from domain A to Domain B or vice-versa.
LikeLike
I have configured Trust, Domain1 and Domain2 (Domain1 is customer end and Domain 2 is in our Datacenter) When we click on Validate Trust on Domain2 it is successful. We have an issue with Member servers wherein I cannot add any service or other account from Domain1. I tried to add security to one of the folder created but no luck. It does’nt even query the Domain1 but when you use nslookup it shows the Domain1 ip.
LikeLike
May be your domain controller isnt functioning correctly. Did you do any health check before doing trust relation? Did you follow the entire guide?
LikeLike
we have some different situation; we are merging four different companies IT as a Single shared services for all. Until Migrate to New unified Domain , want to know can Forest Trust work between 4 – 5 different forest ? if YES, some guidelines or if NO also just need guidelines for consolidation until we migrate all servers to new domain, appreciate and Thanks for your Help
LikeLike
You are seeking consultancy which incur cost. Are you willing to pay for it?
LikeLike
If I am using VMware workstation and want to create a domain trust between 2 forests as a test, are the configuration settings the same or is there anything different that needs to be done, for the 2 forests to see one another.
LikeLike
Nope as long as both subnets or IP addresses can talk to each other you will be fine.
LikeLike