How to create an external trust between two seperate domains/forests

A trust is a relationship established between domains that enables users in one domain to be authenticated by a domain controller in the other domain. There are different type of trust like External, Realm, Forest and shortcut. In this article, I am going to talk about external trust. This can be applied in windows 2003 and windows 2008 also using same principle. External trust is necessary when users from two different domain wants to access resources such as printers and file server of two domains.  There are few requirements to fulfil this goal.
Both domain controller must ping each other IP. If both domain controller sits in different subnet then proper routing required.
DNS records of both domain controller must be added in both server (Example: DNS record of bollywood.com must be added in desibaba.com and vice versa).

clip_image002[4]

clip_image002[6]

FQDN must be added in both DC (Example: FQDN of dns1.bollywood.com must be added in dc1.desibaba.com and vice versa).

clip_image002

clip_image002[8]

Now dc1 will be able to ping dns1 by name and FQDN. Now ready to create an external trust. However, you still can’t ping by FQDN then type IP of PDC of forest A as secondary/alternative DNS in the TCP/IP property of  PDC of forest B. Do vice versa. Now you will be able to ping by FQDN.

One way Trust between two DC. Example: One way trust allows users from dc1 (outgoing) get access to dns1 (incoming) but dns1 doesn’t get access to dc1).

Creating incoming trust in dns1

1. Open Active Directory Domains and Trusts.
2. In the console tree, right-click the domain for which you want to establish a trust, and then click Properties.
3. On the Trusts tab, click New Trust, and then click Next.
4. On the Trust Name page, type the Domain Name System (DNS) name (or NetBIOS name) of the external domain, and then click Next.
5. On the Trust Type page, click External trust, and then click Next.
6. On the Direction of Trust page, click One-way: incoming, and then click Next.
7. On the Sides of Trust page, click This domain only, and then clickNext.
8. On the Trust Password page, type the trust password twice, and then click Next.
With the administrator of the other domain, agree on a secure channel password to be used in establishing the trust.
9. On the Trust Selections Complete page, review the results, and then click Next.
10. On the Trust Creation Complete page, review the results, and then click Next.
11. On the Confirm Incoming Trust page, do one of the following:
· If you do not want to confirm this trust, click No, do not confirm the incoming trust.
· If you want to confirm this trust, click Yes, confirm the incoming trust, and then supply the appropriate administrative credentials from the specified domain.
12. On the Completing the New Trust Wizard page, click Finish.

Creating outgoing trust in dc1

1. Open Active Directory Domains and Trusts.
2. In the console tree, right-click the domain for which you want to establish a trust, and then click Properties.
3. On the Trusts tab, click New Trust, and then click Next.
4. On the Trust Name page, type the Domain Name System (DNS) name (or NetBIOS name) of the external domain, and then click Next.
5. On the Trust Type page, click External trust, and then click Next.
6. On the Direction of Trust page, click One-way: outgoing, and then click Next.
7. On the Sides of Trust page, click This domain only, and then clickNext.
8. On the Outgoing Trust Authentication Level page, do one of the following, and then click Next:
· Click Domain-wide authentication.
· Click Selective authentication.
9. On the Trust Password page, type the trust password twice, and then click Next.
10. On the Trust Selections Complete page, review the results, and then click Next.
11. On the Trust Creation Complete page, review the results, and then click Next.
12. On the Confirm Outgoing Trust page, do one of the following:
· If you do not want to confirm this trust, click No, do not confirm the outgoing trust. Note that if you do not confirm the trust at this stage, the secure channel will not be established until the first time that the trust is used by users.
· If you want to confirm this trust, click Yes, confirm the outgoing trust, and then supply the appropriate administrative credentials from the specified domain.
13. On the Completing the New Trust Wizard page, click Finish.

Note : if you want both sides get access to both sides then change that config to two way and set incoming and outgoing in both sides.

No comments:

Post a Comment