Trust relationships between AD domains allow users from one domain to authenticate to another domain. Trusting relationships are most often configured when merging or migrating multiple organizations.
You can only configure trust relationships between Active Directory forest root domains. In this example, we will enable a two-way trust relationship between the independent forests contoso.loc and test.loc.
Before you can establish a trust relationship, you need to make sure that the domain controllers on both sides can see each other and perform name resolution in the other forest. To do this, you need to configure DNS conditional forwarding in both AD domains.
- Open the DNS Manager snap-in (
dnsmgmt.msc
) in the contoso.loc domain; - In the DNS console, select the Conditional Forwarding section and create a new Conditional Forwarder rule;
- Specify the name of the second domain (test.loc), the IP address of the domain controller in test.loc, enable the option Store this conditional forwarder in Active Directory, and replicate it as follows, and set All DNS servers in this domain;
- Then, on the DNS server for the test.loc domain, configure a similar conditional forwarding rule (which will forward queries for the domain name contoso.loc to the IP address of the DC in your domain).
After that, you will be able to enable trust relationships.
- Open the Active Directory Domains and Trusts MMC snap-in (
domain.msc
); - Open your domain properties and go to the Trusts tab;
- Click New Trust;
- Specify the name of the forest you want to establish a trust relationship with (test.loc);
- Next, you need to select the type of trust relationship. Two types of trust available:
External Trust – direct “non-transitive” trust between domains. Allows you to set trust only between the test.loc and contoso.loc root domains.
Forest Trust – transitive trust relationships between AD forests and all child domains.
- Next, you need to choose the direction of trust:
Two–way – two-way trust between domains;
One–way: incoming – one-way trust, where users from domain A can authenticate to domain B;
One–way: outgoing – one-way trust, in which users from domain B can log in to domain A. - You then need to select the domain in which you want to create the trust:
This domain only – create trust only in the current domain;
Both this domain and the specified domain – create a trust relationship in both domains A and B - The Create Trust Wizard prompts for the credentials of a user from the test.loc domain with Enterprise admin permissions;
- Then select authentication scope for test.loc domain users:
Domain–wide authentication – allow users to authenticate to any resource in your domain;
Selective authentication – select servers that users in the test.loc domain can be used to authenticate to the contoso.loc domain; - Then you need to select outbound authentication rules (for users on your domain);
- Click Next -> Next several times and check that trust relationships have been created between the domains.
Immediately after enabling a trust relationship, a warning will appear indicating that the SID filtering security feature is enabled. When accessing resources through a trust relationship, this option allows you to exclude all SIDs from third-party domains from the user token. Disable SID filtering only when migrating users or resources between domains using SID History:
netdom trust contoso.loc /domain:test.loc /quarantine:No