Trusts define the security relationship between domains and forests. When a trust exi-sts,users with an account in one domain can be assigned permissions to resources in a separate domain. By default, all domains in a forest are configured to trust each other. in the following article we are going to create trust between tow domain in windo-ws server 2016 step by step. Create Forest Trust Between Two Domains in Server 2016.
Trusts make it possible for users in one domain to be authenticated by domain controll-ers in a separate domain. For example, if there is a bidirectional trust relationship between the domains Network.Local and nyazit.com, users with accounts in the Netwo-rk.local domain are able to authenticate in the nyazit.com domain. By configuring a trust relationship, it’s possible to allow users in one domain to access resources in another, such as being able to use shared folders and printers or being able to sign on locally to machines that are members of a different domain than the one that holds the user’s account.
Note: Before you create forest trusts between domains, it is important to verify that the Domain Name System (DNS) server in your environment is properly set up and config-ured to accept future trust relationships. In the first time, we need to configure conditio-nal forwarder, in both domain controllers.
Configure Conditional Forwarder in DNS
A trust relationship between the two organizations Active Directory Domain Services is desired, but neither organization name space can be resolved through public name resolution. In order to configure the trust relationship name resolution, need to be configured. One option for name resolution is to use Conditional Forwarders. DNS in each domain will be configured to forward request for the other organization name space to a DNS server that is authoritative. All other names needing resolved will use the default name resolution method.
#1. Open DNS Manager. To open DNS Manager, click Server Manager, point to Tools menu, and then click DNS Server.
#2. In the console tree, double-click the applicable DNS server. Expand DNS, and then double-click Applicable DNS server.
#3. In the console tree, click Conditional Forwarders, and then on the Action menu, click New conditional forwarder.
#4. In DNS domain, type the fully qualified domain name (FQDN) of the domain for which you want to forward queries. Enter the DNS Name of the desired domain to be resolved.
#5. Click the IP addresses of the master servers list, type the IP address of the server to which you want to forward queries for the specified DNS domain, and then press ENTER.
#6. When you click Ok, once right-click on conditional forwarder, click refresh button.
#7. The DNS Forwarder has been created.
The conditional forwarder has been created, you should do this work on both domain, in the DNS server. when conditional forwarder is created successfully in both domain, then can you configure forest trust, and create trust relationship between tow domains or you can do any trust, after configuring conditional forwarder. So, let’s get started, create trust between tow domain in windows server 2016.
Create Forest Trust Between Two Domains in Server 2016
Finally, both forests must be in Windows Server 2016 or 2012 R2 forest functional mode. Set all domains to Windows Server 2016 domain functional mode, and then set the forest mode. In this case we are going to create a tow-way, forest trust for both sides of the trust.
#1. Open Active Directory Domains and Trusts. Click Server Manager, click tools, click Active Directory Domains and Trusts.
#2. In the console tree, right-click the domain node for the forest root domain for which you want to establish a trust, and then click Properties.
#3. On the Trusts tab, click New Trust, and then click Next.
#4. On the Trust Name page, type the Domain Name System ﴾DNS﴿ name ﴾or network basic input/output system ﴾NetBIOS﴿ name﴿ of the domain, and then click Next.
#5. On the Trust type page, click Forest trust, and then click next.
- Use external trusts to provide access to resources that are located on a Windows NT 4.0 domain or a domain that is located in a separate forest that is not joined by a forest trust.
- Use forest trusts to share resources between forests. If a forest trust is a two-way trust, authentication requests that are made in either forest can reach the other forest.
#6. On the Direction of Trust page, click Tow-way, and then click Next button.
- Two-way. A two-way trust allows authentication requests that are sent by users in either domain or forest to be routed successfully to resources in either of the two domains or forests.
- One-way: incoming. A one-way, incoming trust allows authentication requests that are sent by users in your domain or forest (the domain or forest where you started the New Trust Wizard) to be routed successfully to resources in the other domain or forest.
- One-way: outgoing. A one-way, outgoing trust allows authentication requests that are sent by users in the other domain (the domain or forest that you are indicating in the New Trust Wizard as the specified domain or forest) to be routed successfully to resources in your domain or forest.
#7. On the Sides of Trust page, click Bothe this domain and the specified domain, and then click next.
- This domain only: Use this option when you want to create each side of the trust separately, which means that you must run the New Trust Wizard twice—once for each domain in the trust.
- Both this domain and the specified domain: This option provides administrators who possess the appropriate domain credentials for both domains in the trust relationship with the option to quickly create both sides of a trust by completing a single instance of the New Trust Wizard.
#8. On the User Name and Password page, type the user name and password for the appropriate administrator in the specified domain.
#9. On the Outgoing Trust Authentication Level–Local Domain page, do one of the following, and then click Next:
- Forest‐wide authentication When you choose forest‐wide authentication, users from the trusted forest are automatically authenticated for all resources in the local forest. You should use this option when both the trusted and trusting forests are part of the same organization. shows a forest trust configured with this type of authentication.
- Selective authentication When you configure this option, Windows does not automatically authenticate users from the trusted forest. You can then configure specific servers and domains within the forest to allow users from the trusted forest to authenticate. Use this option when the two forests are from different organizations, or you have more stringent security requirements.
#10. On the Outgoing Trust Authentication Level–Specified Domain page, do one of the following, and then click Next:
- Click Domain-wide authentication.
- Click Selective authentication.
#11. On the Trust Selections Complete page, review the results, and then click Next.
#12. On the Trust Creation Complete page, review the results, and then click Next.
#13. On the Confirm Outgoing Trust page, do one of the following:
- No, do not confirm the outgoing trust. Note that if you do not confirm the trust at this stage, the secure channel will not be established until the first time that the trust is used by users.
- If you want to confirm this trust, click Yes, confirm the outgoing trust, and then supply the appropriate administrative credentials from the specified domain.
#14. On the Confirm Incoming Trust page, do one of the following:
- If you do not want to confirm this trust, click No, do not confirm the incoming trust.
- If you want to confirm this trust, click Yes, confirm the incoming trust, and then supply the appropriate administrative credentials from the specified domain.
#15. On the Completing the New Trust Wizard page, click Finish.
#16. Now you have successfully completed new trust wizard. After clicking finish button, you can see the domain on the trust tab.
#17. As you can see in the image bellow, the forest trust has been created in both domains. As you can see this is separate domain.
There you have it. Although this procedure shows the creation of a two-way trust, similar steps would be used to create a one-way. Remember that the system time between the DCs in the two forests must be within the five-minute time skew and name resolution must be maintained.
I hop this article “Create Forest Trust Between Tow Domains in server 2016” was helpful for you people, if have any question, you can ask me freely in the comment bellow.