In an Active Directory infrastructure, you can create external trust relationships (domain trusts), as well as forest trust relationships.
However, before creating trust relationships, it's essential to understand how they work and what they entail.
For this, refer to our article : The basics of Active Directory Domain Services (AD DS)
In this tutorial, we will create an external trust relationship between 2 domains present in 2 different forests.
In our case, we are going to create an external trust relationship between our "web.informatiweb.lan" and "corp.informatiweb-pro.lan" Active Directory domains.
To create an external trust relationship between 2 domains, open the "Active Directory Domains and Trusts" console and right-click "Properties" on the source domain (in our case : web.informatiweb.lan).
Then, go to the "Trusts" tab and click on the "New Trust" button.
The New Trust Wizard appears.
Specify the destination domain name with which you want to create the external trust relationship (domain trust).
In our case : corp.informatiweb-pro.lan
Choose the direction of this trust :
For a trust relationship to be valid, the trust object you are creating must be present on both sides (so in the source domain and the destination domain).
The wizard therefore asks you if you want to create this trust in :
If you know the credentials of an account authorized to create trust relationships in the specified domain (destination domain : corp.informatiweb-pro.lan), then select "Both this domain and the specified domain".
As we have chosen to create the trust in the source domain AND in the specified domain (destination domain), the wizard asks us for the credentials of an account with administrative privileges in the specified domain.
When you create a trust relationship, the wizard offers you to choose between :
A summary of the trust relationship configuration appears before it's created.
Since the local domain name and the specified domain are not root domains, the wizard will automatically detect that this was an external type trust relationship (as shown in the summary displayed).
To create this trust relationship, click "Next".
Now, the trust relationship has been created.
In order for this trust relationship to be used, the incoming and/or outgoing trust (depending on the choice made at the start of the wizard) must be confirmed.
As we have created a two-way trust relationship, we need to confirm the outgoing trust and then the incoming trust.
Select : Yes, confirm the outgoing trust.
Then : Yes, confirm the incoming trust.
Your trust relationship has been created and confirmed.
Click on Finish.
When you create an external trust relationship, SID (Security Identifier) filtering is automatically enabled as a security measure.
SID filtering prevents malicious users with administrator rights to the domain or forest from granting themselves elevated rights in the remote forest through the trust relationship created.
It also avoids attacks that use the history of SIDs which is used at the base to simplify the migration of many users without having to update the rights on the various resources of a server.
In the "Trusts" tab of the properties of the source domain (in our case : web.informatiweb.lan), you will find 2 new "External" and not-transitive type trust relationships.
This means that the relationship is only valid between the 2 domains concerned and that we cannot go further than these 2 domains using this trust relationship.
If you view the properties of the trust relationships you just created, you will find :
In the "Authentication" tab, you can choose whether you want to limit or not the access to resources in the local domain (web.informatiweb.lan).
Windows Server 9/22/2017
Windows Server 5/21/2021
Windows Server 6/18/2021
Windows Server 9/11/2021
® InformatiWeb-Pro.net - InformatiWeb.net 2008-2020 - © Lionel Eppe - All rights reserved.
Total or partial reproduction of this site is prohibited and constitutes an infringement punishable by articles L.335-2 and following of the intellectual property Code.