Question

Creating trusts in a forest with Windows Server

Answer 1

Configuration

Open the "Active Directory and Trusts Domains" console. When the console opens, locate the root domain of the forest. You can only create a trust relationship at the root domain level. Once the root domain is located, right click on it and select the Properties command in the resulting context menu. When you do, you will see the domain property sheet.

At this point, you must select the Property Sheet Trust tab, which is displayed in the image. Click on the button for new confidence to start the New Confidence Wizard.

When the wizard starts, click on "NEXT" to go to the wizard's welcome screen. At this point, the wizard will ask you to enter the domain, forest, or domain name of the trust. This screen can be a bit confusing, but all you have to do is type in the domain name of the root domain of the forest you want to establish trust with.

We click on "NEXT" and the wizard will ask you if you are going to create a territory or trust trust with a Windows domain. Select the Windows domain option and click "NEXT . " At this point, we will see what is probably the most important question asked by the assistant. The wizard wants to know if he is going to create an external trust or a trust in the forest. Choose the forest trust option and click "NEXT" .

Now we will see a screen that asks if you want to establish an entry form, in a single outgoing address, or a two-way trust. The trust has two sides. For example, imagine that you have two domains called "A" and "B" . Now imagine that domain "A" contains resources that users in domain "B" need access to "A." In a situation like this, domain "A" would be the trusting domain and domain "B" would be the trust domain. In this particular case, a bidirectional trust would not be adequate since users of domain "A" do not have access to anything in domain "B" . Many times in real life, however, a two-way trust is the most appropriate option.

In this case, we will reduce bidirectional trust. Now ask if you want to configure only your own side of the trust or both sides of the trust. What it refers to is the fact that an administrator password is needed for both domains to establish trust. If you only have the administrative password for your own domain, then you will have to choose the option Only this domain and the administrator of the other domain will have to repeat the process at its end with your own password. If you know both passwords however, it is much easier to configure both sides of the trust at the same time.

Click on "NEXT" and Windows will ask if you want to perform Forest wide authentication or selective authentication. Selective authentication that allows fine-tuning the authentication process, but involves much more work. Most of the time we are going well with the Great Forest authentication.

Then "NEXT" and we will see a summary of the options we have chosen. Click on "NEXT" once more and trust will be established. When the process is finished, a message will appear asking if you want to confirm the link between the forests. Go ahead and try to confirm the link.

With these steps we will be creating a relationship of trust between two Forests, which in many cases makes us much needed, that we can manage users of both forests.

---