March 20, 2011, 11:27 a.m.
posted by trystan
Creating a Transitive Trust Between Two AD Forests
ProblemYou want to create a transitive trust between two AD forests. This causes all domains in both forests to trust each other without the need for additional trusts. SolutionUsing a graphical user interface
Using a command-line interface> netdom trust <Forest1DNSName> /Domain:<Forest2DNSName> /Twoway /Transitive /ADD [/UserD:<Forest2AdminUser> /PasswordD:*] [/UserO:<Forest1AdminUser> /PasswordO:*] For example, to create a two-way forest trust from the AD forest rallencorp.com to the AD forest othercorp.com, use the following command: > netdom trust rallencorp.com /Domain:othercorp.com /Twoway /Transitive /ADD /UserD:[email protected] /PasswordD:* /UserO:[email protected]rallencorp.com /PasswordO:* DiscussionA new type of trust called a forest trust was introduced in Windows Server 2003. Under Windows 2000, if you wanted to create a fully trusted environment between two forests, you would have to set up individual external two-way trusts between every domain in both forests. If you have two forests with three domains each and wanted to set up a fully trusted model, you would need nine individual trusts. Figure illustrates how this would look. Trusts necessary for two Windows 2000 forests to fully trust each other![]() With a forest trust, you can define a single one-way or two-way transitive trust relationship that extends to all the domains in both forests. You may want to implement a forest trust if you merge or acquire a company and you want all of the new company's Active Directory resources to be accessible for users in your Active Directory environment and vice versa. Figure shows a forest trust scenario. To create a forest trust, you need to use accounts from the Enterprise Admins group in each forest. Trust necessary for two Windows Server 2003 forests to trust each other![]() |
- Comment