An Active Directory (AD) domain trust is required when users or computers from one domain need to authenticate and access resources in another domain without duplicating accounts. Sometimes domains remain separate for administrative or organizational reasons, but shared resources are required such as File servers,SQL databases, Application servers. So, Users authenticate using their home domain credentials while accessing resources in another domain.
There are several trust types which we can choose.
External Trust Between two domains in different forests
Forest Trust Broad authentication across forests
One-Way Trust Access allowed in one direction only
Two-Way Trust Mutual authentication
In this post, we will be configuring Forest Trust between two domain controllers (istanbul.local & london.local). Before we establish a trust between our domains, we need to make sure DNS servers communicate with eachother.
On both Domain controllers Open DNS Manager > Expand "Forward Lookup Zones" > Right click the zone and select properties > Select "Zone Transfers" > check the option "Allow zone transfers" > click OK
Now we need to create secondary zone on each domain controller.
Right click "Forward Lookup Zones" > New zone > Next > Secondary Zone
As the zone name, we need to enter the other server's domain name. This screenshot is from london.local.
Enter the IP address of the other domain controller
Now both servers know about the other DNS zone. You can try to ping the other server with its FQDN.
Open up Active Directory Domains and Trusts > Right click the Domain > select Properties > choose Trusts Tab> Click "New Trust" button
On the server, istanbuldc.istanbul.local, I am adding london.local DNS name.
At this point we've got 2 options. External trust is basically trust between domains. On the other hand, forest trust between forests.
Next windows gives us 3 options.
Two way: Both domains trust each other and accept authentication from the other.
One-way Trust (Incoming): Users from the other domain can authenticate into your domain
One-way Trust (Outgoing): Your users can authenticate into the other domain
If you choose "This domain only", trust is created only for this Domain. If so, we need to go and do the same procedure for the other Domain.
On the other hand, If you know the domain admin credentials of the other domain, you can go with the second option. That way trust is configured for both domains.
Forest-wide authentication does not mean you have access to resources by default. You still have to configure NTFS, Share and Application permissons.
You will see the below option for Local Forest and Specified Forest
Now Confirm the Trust Configurations.
Both Domains trust eachother now.
On istanbul.local domain controller, I can give permissions to a user who is actually in london.local domain and vice versa.
