Scroll To Top

Create Forest Trust Between Tow Domains in Server 2016

Posted in Article, Networking, Windows Server1 year ago • Written by Nyaz2 Comments

Trusts define the security relationship between domains and forests. When a trust exi-sts,users with an account in one domain can be assigned permissions to resources in a separate domain. By default, all domains in a forest are configured to trust each other. in the following article we are going to create trust between tow domain in windo-ws server 2016 step by step. Create Forest Trust Between Tow Domains in Server 2016.

Trusts make it possible for users in one domain to be authenticated by domain controll-ers in a separate domain. For example, if there is a bidirectional trust relationship between the domains Network.Local and nyazit.com, users with accounts in the Netwo-rk.local domain are able to authenticate in the nyazit.com domain. By configuring a trust relationship, it’s possible to allow users in one domain to access resources in another, such as being able to use shared folders and printers or being able to sign on locally to machines that are members of a different domain than the one that holds the user’s account.

Note: Before you create forest trusts between domains, it is important to verify that the Domain Name System (DNS) server in your environment is properly set up and config-ured to accept future trust relationships. In the first time, we need to configure conditio-nal forwarder, in both domain controllers.

Configure Conditional Forwarder in DNS

A trust relationship between the two organizations Active Directory Domain Services is desired, but neither organization name space can be resolved through public name resolution. In order to configure the trust relationship name resolution, need to be configured. One option for name resolution is to use Conditional Forwarders. DNS in each domain will be configured to forward request for the other organization name space to a DNS server that is authoritative. All other names needing resolved will use the default name resolution method.

#1. Open DNS Manager. To open DNS Manager, click Server Manager, point to Tools menu, and then click DNS Server.

#2. In the console tree, double-click the applicable DNS server. Expand DNS, and then double-click Applicable DNS server.

#3. In the console tree, click Conditional Forwarders, and then on the Action menu, click New conditional forwarder.

Create Conditional Forwarder in DNS

Create Conditional Forwarder in DNS

#4. In DNS domain, type the fully qualified domain name (FQDN) of the domain for which you want to forward queries. Enter the DNS Name of the desired domain to be resolved.

Creating Conditional Forwarder

Creating Conditional Forwarder

#5. Click the IP addresses of the master servers list, type the IP address of the server to which you want to forward queries for the specified DNS domain, and then press ENTER.

IP Address of Master Domain

IP Address of Master Domain

#6. When you click Ok, once right-click on conditional forwarder, click refresh button.

DNS Server -Nyazit.com

DNS Server -Nyazit.com

#7. The DNS Forwarder has been created.

Create Conditional Forwarder

Create Conditional Forwarder

The conditional forwarder has been created, you should do this work on both domain, in the DNS server. when conditional forwarder is created successfully in both domain, then can you configure forest trust, and create trust relationship between tow domains or you can do any trust, after configuring conditional forwarder. So, let’s get started, create trust between tow domain in windows server 2016.

Create Forest Trust Between Tow Domains in Server 2016

Finally, both forests must be in Windows Server 2016 or 2012 R2 forest functional mode. Set all domains to Windows Server 2016 domain functional mode, and then set the forest mode. In this case we are going to create a tow-way, forest trust for both sides of the trust.

#1. Open Active Directory Domains and Trusts. Click Server Manager, click tools, click Active Directory Domains and Trusts.

Configure Active Directory Domains and Trusts

Configure Active Directory Domains and Trusts

#2. In the console tree, right-click the domain node for the forest root domain for which you want to establish a trust, and then click Properties.

reate Forest Trust Between Tow Domains in Server 2016

Create Forest Trust Between Tow Domains in Server 2016

#3. On the Trusts tab, click New Trust, and then click Next.

Create Forest Trust Between Tow Domains in Server 2016

Create Forest Trust Between Tow Domains

#4. On the Trust Name page, type the Domain Name System ﴾DNS﴿ name ﴾or network basic input/output system ﴾NetBIOS﴿ name﴿ of the domain, and then click Next.

Create a Trust

Create a Trust

#5. On the Trust type page, click Forest trust, and then click next.

  • Use external trusts to provide access to resources that are located on a Windows NT 4.0 domain or a domain that is located in a separate forest that is not joined by a forest trust.
  • Use forest trusts to share resources between forests. If a forest trust is a two-way trust, authentication requests that are made in either forest can reach the other forest.
Configure Forest Trust in Server 2016

Configure Forest Trust in Server 2016

#6. On the Direction of Trust page, click Tow-way, and then click Next button.

  • Two-way. A two-way trust allows authentication requests that are sent by users in either domain or forest to be routed successfully to resources in either of the two domains or forests.
  • One-way: incoming. A one-way, incoming trust allows authentication requests that are sent by users in your domain or forest (the domain or forest where you started the New Trust Wizard) to be routed successfully to resources in the other domain or forest.
  • One-way: outgoing. A one-way, outgoing trust allows authentication requests that are sent by users in the other domain (the domain or forest that you are indicating in the New Trust Wizard as the specified domain or forest) to be routed successfully to resources in your domain or forest.
create a tow-way, forest trust for both sides of the trust

create a tow-way, forest trust for both sides of the trust

#7. On the Sides of Trust page, click Bothe this domain and the specified domain, and then click next.

  • This domain only: Use this option when you want to create each side of the trust separately, which means that you must run the New Trust Wizard twice—once for each domain in the trust.
  • Both this domain and the specified domain: This option provides administrators who possess the appropriate domain credentials for both domains in the trust relationship with the option to quickly create both sides of a trust by completing a single instance of the New Trust Wizard.
Both this domain and the specified domain

Both this domain and the specified domain

#8. On the User Name and Password page, type the user name and password for the appropriate administrator in the specified domain.

Create Trust Relationship between tow domains

Create Trust Relationship between tow domains

#9. On the Outgoing Trust Authentication Level–Local Domain page, do one of the following, and then click Next:

  • Forest‐wide authentication When you choose forest‐wide authentication, users from the trusted forest are automatically authenticated for all resources in the local forest. You should use this option when both the trusted and trusting forests are part of the same organization. shows a forest trust configured with this type of authentication.
  • Selective authentication When you configure this option, Windows does not automatically authenticate users from the trusted forest. You can then configure specific servers and domains within the forest to allow users from the trusted forest to authenticate. Use this option when the two forests are from different organizations, or you have more stringent security requirements.
•Forest‐wide authentication

• Forest‐wide authentication

#10. On the Outgoing Trust Authentication Level–Specified Domain page, do one of the following, and then click Next:

  • Click Domain-wide authentication.
  • Click Selective authentication.
Create Forest Trust Between Tow Domains Server 2016

Create Forest Trust Between Tow Domains Server 2016

#11. On the Trust Selections Complete page, review the results, and then click Next.

Create Forest Trust Between Tow Domains in Server 2016

Create Forest Trust Between Tow Domains in Server 2016

#12. On the Trust Creation Complete page, review the results, and then click Next.

Create Forest Trust Between Tow Domains in Server 2016

Create Forest Trust Between Tow Domains in Server 2016

#13. On the Confirm Outgoing Trust page, do one of the following:

  • No, do not confirm the outgoing trust. Note that if you do not confirm the trust at this stage, the secure channel will not be established until the first time that the trust is used by users.
  • If you want to confirm this trust, click Yes, confirm the outgoing trust, and then supply the appropriate administrative credentials from the specified domain.
Confirm Outgoing Trust

Confirm Outgoing Trust

#14. On the Confirm Incoming Trust page, do one of the following:

  • If you do not want to confirm this trust, click No, do not confirm the incoming trust.
  • If you want to confirm this trust, click Yes, confirm the incoming trust, and then supply the appropriate administrative credentials from the specified domain.
Create Forest Trust Between Tow Domains in Server 2016

Create Forest Trust Between Tow Domains in Server 2016

#15. On the Completing the New Trust Wizard page, click Finish.

Create Forest Trust Between Tow Domains in Server 2016

Create Forest Trust Between Tow Domains in Server 2016

#16. Now you have successfully completed new trust wizard. After clicking finish button, you can see the domain on the trust tab.

Configure Forest Trust in Server 2016

Configure Forest Trust in Server 2016

#17. As you can see in the image bellow, the forest trust has been created in both domains. As you can see this is separate domain.

Configure Forest Trust in Windows Server 2016

Configure Forest Trust in Windows Server 2016

There you have it. Although this procedure shows the creation of a two-way trust, similar steps would be used to create a one-way. Remember that the system time between the DCs in the two forests must be within the five-minute time skew and name resolution must be maintained.

I hop this article “Create Forest Trust Between Tow Domains in server 2016” was helpful for you people, if have any question, you can ask me freely in the comment bellow.

TAGS: , , ,

2 Comments so far. Feel free to join this conversation.

  1. Ali October 30, 2017 at 12:43 am - Reply

    very good article, I have one question Can a trust be established between Windows 2008 R2 with (Function level 2003) and Windows 2016?

    • M azimi October 31, 2017 at 7:08 pm - Reply

      You can establish between windows server 2008 and 2008 R2 with function level 2016, But you can’t establish with function level 2003! I’ve tried this method many times, and it doesn’t work! my suggestion is that the function of 2003 doesn’t reconcilable on 2008 R2 and 2016.

Leave A Response