In this post I’ll show how to create trust between two different Forest each of these based on a single Windows 2008 ADC.
Briefly in Windows Active Directory any type trust allows users in one domain to access resources in another domain it can be either one-way or two-way. In a one-way trust, as the name itself it is one way and unidirectional, one domain’s users access another domain’s resources, not the other way around.
Differente in two-way trust: users in both domains may access the other domain’s resources.
Domain1
Name: ad.infpress1.it
ADC: adc-controller.ad.infpress1.it
IP: 192.168.99.1
Domain2
Name: ad.infpress2.it
ADC: adc-controller.ad.infpress2.it
IP: 192.168.99.100
Step 1 – Active Directory health check
On the command prompt on each ADC simply digit the next commas, and verify that all works fine.
dcdiag
Att. You have to check command results and solve all the issue befor going in the next steps.
Creating stub zone in DNS in Windows 2008
Step 2 – DNS
In adc-controller.ad.infpress1.it you must be able to resolve adc-controller.ad.infpress2.it: the same in adc-controller.ad.infpress1.it.
In other words DNS Servers on both networks must be configured to know about each other.
nslookup adc-controller.ad.infpress2.it
If the resolv does not work you have to setup a Stub Zone on each DNS Server, so that any DNS request for resources on the other network will be forwarded to the DNS server in the other ADC.
Att.: There are still other methods to achieve the same result, but in this post we will use stub zone.
In adc-controller.ad.infpress1.it
a) Open DNS Manager
b) Go to Forward lookup zone
c) Create a new Zone and select Stub Zone and store the zone in AD and then Next
d) On the Active Directory Zone Replication Scope, select To all DNS servers running on domain controllers in this domain: ad.infpress1.it and then click Next.
e) Type ad.infpress2.it like name zone and then next
f) Enter the IP address related the other ADC: 192.168.99.100
Now using nslookup you must be able to resolve adc-controller.ad.infpress2.it.
In adc-controller.ad.infpress2.it you must configure DNS server in similar way, using like name zone ad.infpress2.it and ip 192.168.99.1
Step 3 – Check Active Directory domain and forest functional levels
The domain and forest functional levels must be at least Windows 2003. In each ADC check the next steps.
a) Open Active Directory User & Computers
b) Right-click the root domain, then select Raise Domain Functional Level
c) Select Windows 2003 and confirm
d) Open Active Directory Domains and Trusts
e) Right-click the root domain, then select Raise Forest Functional Level
f) Select Windows 2003 and confirm
g) Check System logs: all works fine after this change ??
Configuring the Forest Trust
In adc-controller.ad.infpress1.it
a) Open Active Directory Domain and Trusts
b) Right Click on ad.infpress1.it and select properties
c) Click on trust Tab, and new Trust: new trust wizard starts.
d) Click Next. In the below screen, type ad.infpress2.it and then next
e) You have to select the trust type: in this example we are creating a forest trust. Select Forest Trust and then select Next.
f) Next, specify the direction of the trust: in this example we are creating a two-way trust (means users in both domains can be authenticated on the other domain). Select Two-way and select Next.
g) Select Both this domain and the specified domain.
h) Input administrative credentials for the other domain to automatically establish the other side of the trust on that domain. Select Next when finished.
i) Next, specify whether local forest users will automatically be authenticated for all resources on the other domain or selectively be authenticated for resources on the other domain. Forest-wide authentication is generally recommended: select it and select Next.
l) Again, Select Forest-wide authentication and select Next.
m) Confirm Outgoing Trust and next. Then Confirm Incoming Trust and next.
m) If your trust was created successfully, you will see Trust Completed.
The two-way trust is completed. User will then be able to access resources across the transitive trust between the forests: use the Sharing and Security tabs to give the appropriate permissions to folders and/or files.
Att.: There are a few reasons that you may not be able to set up a trust.
– DNS between the domains may not be set up properly
– Make sure you have the correct administrator credentials for the other domain
– In virtual env. with cloned OS (and with similar SIDs) you can get strange error (pls see in linkografia)
Linkografia
Trust relationship – Cannot create trust between two different domains
Trust Relationship in Windows 2008 R2
Follow