Recipe 2.16 Creating a Transitive Trust Between Two AD Forests

This recipe requires the Windows Server 2003 forest functional level in both forests.

2.16.1 Problem

You want to create a transitive trust between two AD forests. This causes the domains in both forests to trust each other without the need for additional trusts.

2.16.2 Solution Using a graphical user interface
  1. Open the Active Directory Domains and Trusts snap-in.

  2. In the left pane, right click the forest root domain and select Properties.

  3. Click on the Trusts tab.

  4. Click the New Trust button.

  5. After the New Trust Wizard opens, click Next.

  6. Type the DNS name of the AD forest and click Next.

  7. Select Forest trust and click Next.

  8. Complete the wizard by stepping through the rest of the configuration screens. Using a command-line interface
> netdom trust <Forest1DNSName> /Domain:<Forest2DNSName> /Twoway /Transitive /ADD[RETURN]
         [/UserD:<Forest2AdminUser> /PasswordD:*][RETURN]
         [/UserO:<Forest1AdminUser> /PasswordO:*]

For example, to create a two-way forest trust from the AD forest to the AD forest, use the following command:

> netdom trust / /Twoway /Transitive /ADD[RETURN]
         / /PasswordD:*[RETURN]
         / /PasswordO:*

2.16.3 Discussion

A new type of trust called a forest trust was introduced in Windows Server 2003. Under Windows 2000, if you wanted to create a fully trusted environment between two forests, you would have to set up individual external two-way trusts between every domain in both forests. If you have two forests with three domains each and wanted to set up a fully trusted model, you would need nine individual trusts. Figure 2-4 illustrates how this would look.

Figure 2-4. Trusts necessary for two Windows 2000 forests to trust each other

With a forest trust, you can define a single one-way or two-way transitive trust relationship that extends to all the domains in both forests. You may want to implement a forest trust if you merge or acquire a company and you want all of the new company's Active Directory resources to be accessible for users in your Active Directory environment and vice versa. Figure 2-5 shows a forest trust scenario. To create a forest trust, you need to use accounts from the Enterprise Admins group in each forest.

Figure 2-5. Trust necessary for two Windows Server 2003 forests to trust each other

    Chapter 3. Domain Controllers, Global Catalogs, and FSMOs
    Chapter 6. Users
    Appendix A. Tool List