This is the last part of the series which explain about “Trusts” between infrastructures. If you not checked the other 3 parts yet you can find them in here.
Configuring Trusts – Part 1
Configuring Trusts – Part 2
Configuring Trusts – Part 3
This article will explain how to configure trusts between infrastructures.
Demo Setup
For the demonstration I will be using following setup.
Organization |
Domain |
Primary DC |
Contoso Ltd. |
Contoso.com |
Microsoft Windows Server 2012 R2 |
XYZ Ltd. |
Xyz.com |
Microsoft Windows Server 2012 R2 |
I am going to initiate a “Forest Trust” between the 2 organizations. It will be Two-Way trust which allows each forest, domains and users to access “allowed” resources in each organization infrastructure.
Before start the process the initial step is to make sure following ports are open in firewalls in both organizations to initiate the trusts.
UDP Port 88 – Kerberos Protocol
TCP and UDP Port 387 – LDAP
TCP Port 445 – Microsoft SMB
TCP Port 135 – Trust endpoint resolution
In order to initiate a trust you need to login as user account which is member of Domain Admins or Enterprise Admins groups.
Also you need to consider about the DNS ( domain name services )before proceed with the trust initiation process. If both organizations using root DNS server coming for both forests it will not be an issue. But if not you need to create DNS Zones in each forest dns servers. In here for the demo I have setup secondary dns zone with transferring copy of running DNS zone on XYZ.com. I have explain DNS zone setup in one of my previous articles in blog. If you not familiar with the process please refer to it here.
1) To start the process I will log in to contoso.com domain as enterprise administrator.
2) Then Server Manager > Active Directory Domains and Trusts
3) In active directory domains and trust snap-in right click on contoso.com domain and click properties
4) In next window go to “Trusts” tab and click on “New Trust” button
5) It will open the “New Trust Wizard” click next to start the process
6) In next window we need to specify the DNS name or the netbios name of the domain we going to initiate trust with. In our demo it will be “xyz.com”. then click next to continue
7) In next window we need to select the trust type. I have selected “Forest Trust” and click next to continue
8) We are going to setup “Two-Way” trust so in next window I selected “Two-way” from the list and click continue
9) Trusts are need to initiate in both sides. But if you have appropriate access permissions to the remote forest, you can initiate it. In next window it give option to initiate the trust in remote forest. Since I do have access I select “Both this domain and specified domain” and click next
10) In next window I have specified the logins to initiate trust in remote forest (the account need to be member of Domain Admins or Enterprise Admins groups). Then click next to continue
11) In next windows it ask to select the authentication scope for local forest. In here I select forest-wide authentication
12) In next windows it ask to select the authentication scope for remote forest. In here I select forest-wide authentication
13) In next window it gives brief description about the selections we made and click next to initiate the trust
14) In next window it asks about routed name suffixes for the local forest. I will use default and click next
15) In another window it asks to confirm the outgoing trust. Since we initiated the other side of trust, select yes and click next
16) Next window it asks to confirm incoming trust. Since we initiated the other side of trust, select yes and click next
17) Then it gives confirmation about the successfully create trust. Click finish to exit from wizard.
18) In remote XYZ.com we can confirm the initiate trust by looking in to domain properties like we did in steps 1-3
This completes the process of creating forest-trust. The options selected on process will change based on trust type, authentication scope etc.
Testing
For the testing purpose of the trust I have created following scenario.
Contoso domain file server hosts a folder called “Share-Contoso”. We need to provide access to user account called “xyz-user” from XYZ forest to this particular folder.
After initiating the trust, when we going to apply share permission to the “Share-Contoso” folder now we can select users from the XYZ.com domain.
After applying permissions I am trying to log in to contoso file server from remote location ( here I used a pc which is not added to domain ) and once its ask to provide logins I have provided the login info for xyz-user for XYZ.com domain.
Once it’s authenticated we can see it’s provided the access to relevant share.
As we can see the trust is successfully initiated. If you have any questions feel free to contact me on rebeladm@live.com
Thanks the post – although DNS part of the setup could be much more helpful than just links to your other posts. Cheers!
would a conditional forward dns also work for the trust/trustee domains? or would it cause problems in the long run? or it is mandatory to create secondary dns zones? Thank you.