A trust is defined as a connection between two domains used for authentication. There are many types of trusts and they are
- Transitive or non-transitive
- One-way or two-way
- Shortcut trust
- Forest trust
- Realm trust
Windows 2003 introduced the idea of a Forest trust. A Forest trust is a two-way transitive trust between two forests.
The process to create a Forest trust is pretty straightforward and similar to other trust types. When creating a Forest trust it is a good idea to configure a conditional forwarder on the DNS servers in both forests. This will speed up resolution of names in the other forest. To create a conditional forwarder, open up the DNS MMC, expand the server and double-click on Forwarders. Add a new DNS domain by clicking New and entering the name of the domain you will be trusting. Next enter the IP address(es) of the DNS servers in the other domain. Click OK to save the changes.
Repeat this on the other domain and test it on both ends by pinging various machines in both domains by thier FQDN. Once successful we are ready to proceed.
Start by running Domain.msc from a command prompt to open up the Active Directory Domains and Trusts MMC. Right-click on the domain and select properties. Next click on the Trusts tab and then click New Trust.
Click Next to start the New Trust Wizard. Enter the name of the domain that you wish to configure the trust with and click Next.
Choose to create a Forest Trust and click Next. The difference between the two options is that an External trust is non-transitive, meaning that it will only authenticate users between domains and won't carry up to the parent or down to any child domains. A Forest trust is transitive, meaning that any domain in either forest will be able to authenticate to any other domain in either forest.
Next we are given the choice of trust direction. Two-way is pretty self explanatory and will create a trust that works in both directions. The two types of one-way trusts often confuse people. An incoming trust will allow users in domainA.com to be authenticated in domainB.com. An outgoing trust is the opposite.
Next we are given the option to create the trust in this forest, or in both forests. By chosing to create the trust in both domains, you dont' have to repeat this process in the other domain to complete the trust configuration. Choose to create both trusts and click Next. (You will need an Enterprise admin account on the other domain to configure the trusts)
After entering the credentials for an Enterprise administrator, you are given two more choices for Outgoing Trust Authentication Level - Local Forest, Forest-wide or Selective authentication. The difference here is that with selective authentication, you must grant individual access to to each domain and server that you want users to have access too. For this demo I chose Forest-wide. You will be given the same options for Outgoing Trust Authentication Level - Specified Forest. I made the same choice for this end of the trust as well.
Next verify the trust selections and if it all looks good click Next to create the trusts. Once complete you will be presented with the details of the trusts and their status.
Next we can confirm the Outgoing trust.....
.... and the Incoming trust.
Once successful the wizard will complete and the trusts will be functional!
You will see the trust on the Trusts tab in the domain properties in Active Directory Domains and Trusts.
Let's add assign some permissions to a resource in thelazyadmin.lab to members of the trusting.lab domain. The process is similar to assigning permissions to users/groups in a non-trust scenario. On the security tab for the resource, click Add. Here is where the process differs. Click on the Locations button.
Then select the trusted forest.
I had created a Universal group in the trusting.lab domain called Trust Group and gave then permission to the resouce in thelazyadmin.lab.
