Creating a New Forest

Tutorial: Creating a Forest Trust

In this tutorial, we create a network shared folder in the austin.guinea.pig domain within the guinea.pig forest. We then outline the procedure for members of the piggy.wig domain within the piggy .wig forest to access this shared folder.

  1. On the austin domain controller (DC03), create a folder on the C drive and name it network_shares . Inside this new folder, create a new folder and name it forest_shares .

  2. Share the forest_shares folder on the network with full control network share permissions for both the everyone group and the administrators group . Do not worry about the NTFS permissions at this time.

  3. On the piggy.wig domain controller (DCA), open Active Directory Users and Computers . Under the piggy.wig domain on the left column, create a new OU and name it forest_users . Create another OU inside of forest_users and name it users . Create one more OU inside of forest_users and name it Groups .

  4. Inside the forest_users ˆ’ > Users OU, add three new users with the names of fuser01 , fuser02 , and fuser03 .

  5. Inside the forest_users ˆ’ > Groups OU, add two new groups with the names of forest_global and forest_universal . Make the forest_global group a security global group . Make forest_universal a security universal group.

    We now need to add our three users to the forest_global group.

  6. Double-click the forest_global group and click the Members tab. Click the Add button, and in the field provided, type the word fuser and click Check names . This performs a search for all users and/or groups with a name beginning with fuser.

  7. All three users that we created in step 4 appear in the list. Select all of them by pressing the control + A keys and click OK . All three users appear in the list. Click OK again. The users fuser01 , fuser02 , and fuser03 are now members of the forest_global group.

    We must now nest the forest_global inside the forest_universal group.

  8. While still on the forest_global group Properties window click the Member Of tab. Click Add .

  9. In the field provided, enter the text forest_universal and click OK . This adds forest_global as a member of forest_universal. Click OK .

    Our forest users are now ready for transport. We must now set up the proper NTFS file permissions in DC03 so that our users in the piggy.wig forest can access the share in austin.

  10. On DC03, open Active Directory Users and Computers . Under austin.guinea.pig, create a new OU and name it piggy.wig .

  11. Inside this new OU, create a domain local security group and name it forest_users .

  12. Double-click forest_users and click the Members tab. Click Add , and then click Locations .

  13. If it is expanded, collapse the guinea.pig object. Click the piggy.wig forest icon and click OK :

    click to expand
  14. Our search path is now set to look for objects in piggy.wig. Type the name of the universal group forest_universal and click OK . The forest_universal group is now a member of the the domain local group forest_users. Click OK .

  15. On DC03, set the NTFS file permissions so that the forest_ users domain local group has Modify permissions for the forest_shares shared folder and the Administrators group has Full Control permissions. Remove all other users and/or groups.

  16. Join a client computer to the piggy.wig forest/domain. Log into the domain as one of the fuser users (e.g., fuser01 ). On the client computer, try to connect to \\austin.guinea.pig\forest_shares. You should be granted access to the share, and you should be able to create and delete files in the share ( Note: you may need to log in using the notation of user @domain; for example, fuser01@piggy.wig. This can be set up in a logon script, the net use command, or by using the connect using a different user name command when mapping a network drive using the Windows interface ).

As an added benefit, you can log out of piggy.wig from this client computer, and, as a computer joined to the piggy.wig domain/forest, you can log into any of the domains in guinea.pig by typing username@domain and the correct password. For example, if the denver domain had a user named test , we could log in using test@denver.guinea.pig from the Windows logon screen.


Make sure that all domain controllers' clocks are within one minute of each other. If they aren't, you may run into problems connecting to various shares across forests.

Tutorial: Updating the Forest Trust After Adding New Child Domains

Obviously, there may be times when you need to add more child domains to each forest. If this is the case, you will need to update the trust.

  1. On either root domain controller in either forest, open Active Directory Domains and Trusts . Right-click the root domain's icon and choose Properties .

  2. Click the Trusts tab. In the upper window pane in the outgoing trusts area, click our forest trust and click Properties . At the bottom of the window, click Validate . On the window that appears, click Yes, validate the incoming trust and enter an administrative username and password for the domain. Click OK twice.

  3. Windows asks you to update the routing information for the forest trust. Click Yes . Click OK .

  4. Repeat this procedure for the forest trust located in the incoming trusts field of the domain Properties window.

Active Directory By The Numbers. Windows Server 2003
Active Directory By the Numbers: Windows Server 2003
ISBN: 0974759309
EAN: 2147483647
Year: 2003
Pages: 88
Authors: Marc Hoffman © 2008-2017.
If you may any questions please contact us: