How to Create a Trust Between Forests

By: JR

This guide will serve as a walkthrough on how to configure a trust between two Active Directory forests in order to allow an end user on one forest to access a share on another forest. The environment will consist of two domain controllers and one workstation. This guide will begin from a point at which Active Directory has been configured on both domain controllers, forward and reverse lookup zones are configured for DNS, and the workstation has been added to the domain of one of the forests.

1. Create a conditional forwarder on both domain controllers.

Conditional forwarders will allow DNS servers in one forest to forward queries to another forest's DNS server.

From the DNS configuration manager or mmc consol, right-click on "Conditional Forwarder" and select "New Conditional Forwarder."

Enter the domain of the other DNS server under "DNS Domain" and add its IP address where its says "<Click here to add an IP Address of DNS Name>." Then click "Ok."

Repeat this process on the other domain controller.

2. Establish the trust between the forests

For this guide, a two-way trust will be established. This type of trust allows authenticated users from either forest access to resources on both forests. A one-way trust could also be established to achieve the goal of allowing access to domain resources. However, one-way trusts do not share resources between forests. Instead, they only allow access from users of one forest.

Starting in the mmc consol or Active Directory Domains and Trusts manager on either domain controller, right-click on the domain and select "Properties."

Select the "Trusts" tab and select "New Trust".

Click "Next."

Enter the root domain name of the forest that the trust is being established with. This will be the domain name of the other domain controller. Then click "Next."

Now select "Forest trust" and click "Next".

This ensures that the trust will apply to all domains within each forest. Selecting "External trust" only creates a trust between one domain and one domain of another forest. While this would work for the current demonstration, it wouldn't apply the trust to a new domain if it were added to one of the forests.

For the Direction of Trust, select "Two-way" then click "Next."

For ease of configuration, "Sides of Trust" will be set to "Both this domain and the specified domain" then click "Next."

This will require authentication from an account with proper privileges on the other forest in order to use this feature. Creating both sides of the trust in this manner eliminates the need to create the trust on the other domain controller as the New Trust Wizard will automatically configure the trust on it.

Enter the credentials of an account that has the permission to create a trust on the other domain controller. In this guide, that account will be the administrator account of the other domain controller. After that, click "Next."

This next section will ask for the scope of user authentication in the local forest. Select "Forest-wide authentication" and click "Next."

Choosing "Selective authentication" will require further configuration of authentication but offers better customization. Forest-wide authentication automatically authenticates users from both forests.

This section is almost exactly the same as the previous step, except that this scope of authentication is for the other forest.

Repeat the selection from the previous step and select "Next."

Review selections then click "Next."

Click "Next."

Select "Yes, confirm the outgoing trust" and click "Next."

Select "Yes, confirm the Incoming trust" and click "Next."

Click "Finish" and the trust should be complete.

3. Create a share

The share should be created on the domain controller that does NOT have the workstation as a member of its domain.

The permissions will be set so only authenticated users can access the share. This will demonstrate that the user on the other forest is authenticated on both forests.

Create a folder in the root of C: on the domain controller.