Windows Server

Creating a forest level trust relationship in Windows Server 2003


Once you know how to configure Domain Name Servers (DNS) for collaboration between two Windows Server 2003 servers, it is time to start the sharing. Follow these steps to create a forest level trust relationship:

1. Open Active Directory Domains And Trusts from Administrative Tools.

2. In the console tree pane, select and right-click the domain node for the forest root for which you want to create a trust.

3. Select Properties.

4. Select the Trusts tab in the Properties dialog box.

5. Click New Trust and click Next (skip the Welcome screen).

6. On the Trust Name page, enter the DNS name of the target domain for your trust (for our example, it is Cogswellcogs.com) and click Next.

7. Select Forest Trust on the Trust Type page and click Next. (If the Forest Trust option is missing, you may have omitted one of the prerequisites. In that case, double-check the DNS Forwarders tab and the forest functional level of all the domains in both forests.)

8. Choose a direction for the trust relationship: Two-Way, One-Way Incoming, or One-Way Outgoing.

  • Two-Way: All users in both forests will be able to access all resources in both forests.
  • One-Way Incoming: All users in this forest will be able to access all resources in the other forest but not vice versa.
  • One-Way Outgoing: All users in the target forest will be able to access all resources in this forest but not vice versa.

After you've chosen, click Next.

    9. Resource access is still governed by permissions in the domain where the resource exists. The trust direction provides access to all resources where permissions allow access. Select the sides of the trust relationship: This Domain Only or Both This Domain And The Target Domain.

    • This Domain Only: Creates the trust relationship in this domain only; an administrator on the other end will have to complete the other trust.
    • Both This Domain And The Target Domain: Requires sufficient access in the remote domain and will allow you to complete the trust setup.

    10. Select the appropriate path, depending on the choices you made in the previous two steps.

    • If you chose Two-Way or One-Way Outgoing in step 8 and This Domain Only in step 9, you will need to select a trust authentication level. Domain-Wide Authentication will authenticate all users in the remote forest for all resources in the local forest. Choosing Selective Authentication will allow you to specify which users in the remote domain have access to local resources. Click Next. Enter a password for the trust and click Next.
    • If you chose One-Way Incoming in step 8 and This Domain Only in step 9, enter the password for the trust in the Trust Password and Confirm Password boxes. Click Next.
    • If you selected both domains (this domain and the selected domain) in step 9, a username and password box will appear to allow you to enter the username and password of an administrator account in the target forest. Click Next.

    11. On the next screen, verify all of your selections. When you click Next, the wizard creates the trust. Verify the settings of the new trust.

    12. Confirm the outgoing trust. Select Yes if you created both sides of the trust; select No if you did not.

    13. Click Finish in the Creating The Trust wizard.

    The new trust will appear on the Trusts tab in the Properties dialog box for the domain.

    Now you know how to create forests trusts, which can save your organization administration time and effort trying to improve collaboration on projects or between business partners.

    Miss a column?

    Check out the Windows Server 2003 archive, and catch up on the most recent tips from this newsletter.

    Stay on top of the latest Windows Server 2003 tips and tricks with our free Windows Server 2003 newsletter, delivered each Wednesday. Automatically sign up today!

    About

    Derek Schauland has been tinkering with Windows systems since 1997. He has supported Windows NT 4, worked phone support for an ISP, and is currently the IT Manager for a manufacturing company in Wisconsin.

    2 comments
    cdieter
    cdieter

    This may be related, or not. I currently have a domain trust setup between server1 in US and server2 in China. Trying to have users in China be able to log in with their credentials for their domain into US. From there need to share ability to edit a dB within the US domain in a program. Any points in the right direction?

    saidi.adeyemi
    saidi.adeyemi

    How to configure trust relationship between two doamins

    Editor's Picks