Setup Trust Between Domains

Quote from here

Requirements:

Let’s assume user David from Forest A needs to access shared resource from Forest B. In this scenario, A trust must be created on Forest A and user David must be given universal group permission to the shared resource on Forest B.

• DNS Servers on both networks are configured to know about each other
• Setup a Stub Zone on each DNS Server, so that any DNS request for resources on the other network will be forwarded to the DNS server in the other network
• Forest functional level must be Windows 2003 and above.

Step 1 :

Create stub zone on DNS Server in Forest A, let’s assume Microsoft.com

1. Go to DNS Manager

2. Go to Forward lookup zone

3. Create a new Zone, select zone type as Stub Zone and also select store the zone in AD

4. In the next screen, how you want zone data replicated as Microsoft.com

5. Next, enter the Zone name as techpeople.com

6. Next, enter the IP address of techpeople.com DNS Server

7. Click next and finish.

8. Verify new stub zone in DNS Manager.

Step 2 :

1. Login to techpeople.com DNS Server and create a stub zone

2. In the zone name tab, enter microsoft.com

3. Enter the ip address of microsoft.com DNS server

4. Click next and Finish.

Step3:

1. Go to active directory domain and trusts, right click on domain and select raise forest functional level.

2. Make sure Forest functional level is Windows 2003 or later in both forests.

Step 4:

1. On Microsoft.com, go to primary DC and start active directory domain and trust

2. Right Click on Microsoft.com domain and select properties

3. Click on Trusts tab

when we created na.microsoft.com, this trust was already created.

4. In order to create a forest trust between microsoft.com and techpeople.com forest, clcik on new trust. New trust wizard starts

5. Click Next. In the below screen, type techpeople.com

6. Next, Here you select the trust type.  A forest trust, the one we are creating, creates a transitive trust between all users on both forests specified by both forest root domains.  The other option is to create an external trust between just the two domains; external trusts are non-transitive.  Select Forest Trust and then select Next.

7. Next, specify the direction of the trust.  A two-way trust means users in both domains can be authenticated on the other domain.  One-way means that one domain’s users can be authenticated on the other domain, but not the other way around.  One-way trusts can be established as incoming or outgoing, meaning that they can be setup one-way for the domain you are setting up the trust on currently or the other domain.  Select Two-way and selectNext.

8. Next, you can set up the trust on this domain or both domains involved in the trust.  Select Both this domain and the specified domain.  You can only do this if you have credentials for the other domain.  If you do not have credentials for the other domain, you would have to get an administrator for the other domain to create the other side of the trust.  Select Next.

9.   Input administrative credentials for the other domain to automatically establish the other side of the trust on that domain.  Select Next when finished.

10. Next, specify whether local forest users will automatically be authenticated for all resources on the other domain or selectively be authenticated for resources on the other domain.  Forest-wide authentication is generally recommended for users within the same organization.  Select Forest-wide authentication and select Next.  The next screen is similar but it is for the specified forest.  Again, Select Forest-wide authentication and select Next.

11. Review selections and click Next.

12. If your trust was created successfully, you will see this next screen.  There are a few reasons that you may not be able to set up a trust.  DNS between the domains may not be set up properly; make sure that name servers on one domain can access servers on the other domain.  Make sure you have the correct administrator credentials for the other domain.

13.  The next few screens of the wizard will ask if you want to confirm both sides of the trust.  Select Yes for both and select Next.

14.  This is the last screen of the wizard.  Select Finish after verifying the changes.

The new trust now appears under Trusts in the properties of Microsoft.com

15. On the domain controller of the other domain, you can verify that the trust was created by going to Administrative Tools -> Active Directory Domains and Trusts, right-click the domain, and select the Trusts tab under Properties.  The other side of the trust was created automatically because we selected the Both this domain and the specified domain option earlier.