Creating a Transitive Trust Between Two AD Forests






Creating a Transitive Trust Between Two AD Forests

This recipe requires the Windows Server 2003 forest functional level in both forests.


Problem

You want to create a transitive trust between two AD forests. This causes all domains in both forests to trust each other without the need for additional trusts.

Solution

Using a graphical user interface
  1. Open the Active Directory Domains and Trusts snap-in (domain.msc).

  2. In the left pane, right click the forest root domain and select Properties.

  3. Click on the Trusts tab.

  4. Click the New Trust button.

  5. After the New Trust Wizard opens, click Next.

  6. Type the DNS name of the AD forest and click Next.

  7. Select Forest trust and click Next.

  8. Complete the wizard by stepping through the rest of the configuration screens.

Using a command-line interface
	> netdom trust <Forest1DNSName> /Domain:<Forest2DNSName> /Twoway /Transitive /ADD
	         [/UserD:<Forest2AdminUser> /PasswordD:*]
	         [/UserO:<Forest1AdminUser> /PasswordO:*]

For example, to create a two-way forest trust from the AD forest rallencorp.com to the AD forest othercorp.com, use the following command:

	> netdom trust rallencorp.com /Domain:othercorp.com /Twoway /Transitive /ADD
	         /UserD:[email protected] /PasswordD:*
	         /UserO:[email protected]rallencorp.com /PasswordO:*

Discussion

A new type of trust called a forest trust was introduced in Windows Server 2003. Under Windows 2000, if you wanted to create a fully trusted environment between two forests, you would have to set up individual external two-way trusts between every domain in both forests. If you have two forests with three domains each and wanted to set up a fully trusted model, you would need nine individual trusts. Figure illustrates how this would look.

Trusts necessary for two Windows 2000 forests to fully trust each other


With a forest trust, you can define a single one-way or two-way transitive trust relationship that extends to all the domains in both forests. You may want to implement a forest trust if you merge or acquire a company and you want all of the new company's Active Directory resources to be accessible for users in your Active Directory environment and vice versa. Figure shows a forest trust scenario. To create a forest trust, you need to use accounts from the Enterprise Admins group in each forest.

Trust necessary for two Windows Server 2003 forests to trust each other




 Python   SQL   Java   php   Perl 
 game development   web development   internet   *nix   graphics   hardware 
 telecommunications   C++ 
 Flash   Active Directory   Windows