Create Windows Trust between two domains

As an IT person everybody knows about Active Directory Domain in the Windows environment. Domain is a collection of resources which are in the Active Directory database, these objects can be Users, Computers, Domain Controllers, User Groups, GPOs, Sites, etc. 

When you are building your Network you have to define your own domain and you can control your resources within the defined domain. You have to provide a NetBIOS name (Network Basic Input Output System Name) for your domain while you are deploying Active Directory in your Windows Environment. As I mentioned earlier you can only manage resources which are in your domain, but there are some scenarios which you have to manage resources which are not in your domain but in other domain. Think your parent company is acquiring a child company and you need to grant access to your resource or you need to access resources in your child company domain, in a situation like this you have to build a Trust between these two domains and you need to manage permissions according to your requirements. 
Here I’m going to show you step by step to create a trust between two domains and access the resources. First of all you need to have a successful physical connectivity to these two domains. 
My Scenario….
I have two different domains (ARADMIGRATION.local / TECHCRUMBLE.NET) and two active directory environments. 
ARADMIGRATION.local
TECHCRUMBLE.NET
AD Server Name: W2k12AD
AD Server Name: ADSVR
AD SERVER NetBIOS Name: W2k12AD.ARADMIGRATION.local
AD Server NetBIOS Name: ADSVR.TECHCRUMBLE.NET
IP Address: 172.16.50.67
IP Address: 172.16.50.40
OS : Windows Server 2012
OS: Windows Server 2008
DNS Server: W2k12AD
DNS Server: ADSVR
DNS Server IP Address: 172.16.50.67
DNS Server IP Address: 172.16.50.40
I’m going to create Two way trust between these domains. 

  • I’m logging in to My TECHCRUMBLE.NET Domain Controller (ADSVR) and opened DNS Manager, first of all we need to create a conditional forwarder to transfer requests which are coming to ARADMIGRATION.local from TECHCRUMBLE.NET domain. Open the DNS Manager and right click on the “Conditional Forwarder” and select “New Conditional Forwarder” 

  • Add the conditional Forwarder DNS Domain and the IP Address 

  • There is an Option to replicate the DNS changes with other domain DNS servers:
    • All DNS servers in this forest
    • All DNS servers in this domain 
    • All domain controllers in this domain (for Windows 2000 compatibility)
  • Select the option according to your requirement and click “OK” to continue 

  • You might see a “Red Error Cross” once you added the IP Address of the DNS server but don’t worry… After adding the DNS Server and do a refresh on the added Conditional Forwarder , go to properties and click on “Edit”. You can see a Green successful Icon in the IP Address field.

  • Follow the same steps to the other domain (TECHCRUMBLE.NET) as well and verify the validity of the IP Address. 
  • Now we are done with the “Conditional Forwarders” and let’s jump in to the “Active Directory Domains and Trusts” of the parent domain to configure the trust , as this is a two way trust you can configure this from the child domain as well. Right click on the domain and go to “Properties” 
  • Go to “Trusts” tab and click on “New Trust…” 

  • Then “Welcome to the New Trust Wizard” will start to configure the trust, click “Next” to continue 

  • Type the NetBIOS name of the other domain and click “Next” to continue 

  • Here you have two types of trusts to select(My Trust is a Forest Trust) :
    • External Trust : Use to provide access to resources located in Windows NT 4.0 domain or a domain located in a separate forest which is not connected by a Forest trust – See When to create External Trust
    • Forest Trust: Use to share resources between two forests – See When to create Forest Trust

  • At the next step you can select the direction of the Trust, this is a self-explanatory and select upon your requirement, in my case it is a Two-way Trust, select the option and click on “Next” to continue. 

  • You can define the “Sides of Trust” at the next step and this is also a self-explanatory section, you have to define the side of your trust up on the requirement, in my case it’s “Both this domain and the specified domain”, select the option and click “Next” to continue 

  • Type the username and the password of the domain which you are going to trust , once you typed it click “Next” to continue

  • You have to select an option to set the Outgoing Trust Authentication Level at the next step and you can define whether this is a “Forest-wide authentication” or “Selective Authentication” – You can see a clear explanation on the wizard and this is also a self-explanatory section , you have to define this separately for local and the Trusted Domain

  • There are two completion wizards trust selection and completion wizards, all you need to do is click “Next” on these steps 

  • Under this trust completion Wizard there are two options to confirm the “outgoing” and the “incoming trust” of your configured Trust Relation, as a best practice make sure to confirm it after creation of the Trust. 

  • Click on “Finish” to complete the trust relation – You are all set

  • Go to your “Active Directory Domain and Trusts” properties and see the trust configuration now. 
  • Do you think that we need to do the same thing again in the other domain – No this is a two way trusted configuration and domains are trusting each other. Confirm the configuration on the other (TECHCRUMBLE.NET) domain as well 

  • Now I can resolve the DNS names of the Trusted domain  

  • Now I can share a folder with the Trusted Domain users 

Thank You for viewing my post. 

Leave a Reply