For businesses with a number of domains it is essential to have relationships of trust. Trust relationships allow users in a particular domain to access resources in another domain within a secure and stable framework.
The trust direction describes the relationship between a trusting domain (the domain with the resources) and the trusted domain (the domain that requests the resources). A trust direction is defined by a trust path, which is a series of trust relationships that are followed by an authentication request between two domains. To access a resource from a trusting domain, the requesting user is authenticated by the security system on the domain controller.
Prerequisite:You need to be a member of the Domain Admins group in order to create and manage trust relationships.
To set up a trust between two domains, select Start - Administrative Tools - Active Directory Domains and Trusts.
Right click the domain you want to apply the trust to (for our example, CloudBT.com) and click properties from the drop down menu.
The properties of the domain dialog box opens.Click the Trust tab and then select New Trust.
The New Trust Wizard launches.Click Next to start the Wizard.
On the Trust Name page, type in the name of the domain you want to create the trust with in the text box and click Next. For example, to create a trust from domain CloudBT to domain NowFixIT the box would filled out as follows.
The Trust Type page displays. Depending on the configuration of the domains you want to initiate a trust relationship between, the following types of trust are available:
External Trust: An external trust is a nontransitive trust between a domain and another domain outside the forest. A nontransitive trust is bounded by the domains in the relationship.
Forest Trust: A forest trust is a transitive trust between two forests that allows users in any of the domains in one forest to be authenticated in any of the domains in the other forest
Realm Trust: A realm trust is a transitive trust between an Active Directory domain and a non Windows Kerberos realm. This trust provides cross-platform operability with security services based on other versions of the Kerberos 5 protocol.
Shortcut Trust: A shortcut trust is transitive between domains in a Windows Server 2008 forest. This trust expedites the authentication process between domains in a forest, especially if the two domains are separated by two domain trees.
Transitivity determines whether a trust can be extended outside the two domains between which it was formed. You can use a transitive trust to automatically extend trust relationships to any other domains that is trusted by the original domain. You can use a nontransitive trust to deny trust relationships with other domains.
For our example, NowFixIT and CloudBT are forest root domains in separate forests, therefore you can create an External trust or Forest trust between them only (as seen below).
In this case, you choose to create a Forest trust between the two domains. Click the Forest trust radio button and Next to continue.
On the Directions of Trust page, you indicate whether you want to create an incoming or outgoing one-way trust, or a two-way trust.
One-way incoming trust would entitle users in CloudBT domain to access the NowFixIT resources only.
One-way outgoing trust would entitle users in NowFixIT domain to access the CloudBT resources only.
For our example, we want to create a two way trust (both domains have access to each others resources). Choose the Two-way radio button and Click Next.
The Sides of Trust page displays. You can indicate whether the trust must be created only in the local domain or in both domains (requires trust creation privileges). For our situation, we have creation privileges for the NowFixIT domain and want to create the trust in both the NowFixIT and CloudBT domains. Therefore, Both this domain and the specified domain radio button can be selected. Click Next to continue.
On the User Name and Password page, specify an account that has administrative privileges in the other domain (in our case, NowFixIT domain) and click Next.
On the Outgoing Trust Authentication Level – Local Forest page, specify whether local forest users will be automatically authenticated for all resources on the other domain or selectively be authenticated for resources on the other domain. Forest-wide authentication is preferred when both forests belong to the same organization. In our case, select Forest-wide authentication radio button and click Next.
A summary page appears and you are able to review the selections you have made for the trust relationship. Click Next.
The Trust Creation Complete page should then display if the trust was created successfully. If there was an error with creating the trust this may be due to entering incorrect administrator credentials for the other domain or issues with the domain naming system (DNS) between both domains.
The next few pages of the wizard request that you confirm both sides of the trust. Select Yes, confirm the outgoing trust radio button and click Next.
Select Yes, confirm the incoming trust radio button and click Next.
Completing the New Trust Wizard page displays where you can review the changes. Click Finish.
To verify whether the trust relationship has been created, navigate to Active Directory Domains and Trusts and right-click the CloudBT domain (as specified in our example), select the Trusts tab under Properties. The other side of the trust should have been created automatically (in our case, NowFixIT domain) if you selected Both this domain and the specified domain option earlier.