March 20, 2011, 11:27 a.m.
posted by trystan
Creating a Transitive Trust Between Two AD Forests
Using a graphical user interface
Using a command-line interface
> netdom trust <Forest1DNSName> /Domain:<Forest2DNSName> /Twoway /Transitive /ADD [/UserD:<Forest2AdminUser> /PasswordD:*] [/UserO:<Forest1AdminUser> /PasswordO:*]
For example, to create a two-way forest trust from the AD forest rallencorp.com to the AD forest othercorp.com, use the following command:
> netdom trust rallencorp.com /Domain:othercorp.com /Twoway /Transitive /ADD /UserD:[email protected] /PasswordD:* /UserO:firstname.lastname@example.org /PasswordO:*
A new type of trust called a forest trust was introduced in Windows Server 2003. Under Windows 2000, if you wanted to create a fully trusted environment between two forests, you would have to set up individual external two-way trusts between every domain in both forests. If you have two forests with three domains each and wanted to set up a fully trusted model, you would need nine individual trusts. Figure illustrates how this would look.
Trusts necessary for two Windows 2000 forests to fully trust each other
With a forest trust, you can define a single one-way or two-way transitive trust relationship that extends to all the domains in both forests. You may want to implement a forest trust if you merge or acquire a company and you want all of the new company's Active Directory resources to be accessible for users in your Active Directory environment and vice versa. Figure shows a forest trust scenario. To create a forest trust, you need to use accounts from the Enterprise Admins group in each forest.
Trust necessary for two Windows Server 2003 forests to trust each other