2.16.1 ProblemYou want to create a transitive trust between two AD forests. This causes the domains in both forests to trust each other without the need for additional trusts. 2.16.2 Solution2.16.2.1 Using a graphical user interface
2.16.2.2 Using a command-line interface> netdom trust <Forest1DNSName> /Domain:<Forest2DNSName> /Twoway /Transitive /ADD[RETURN] [/UserD:<Forest2AdminUser> /PasswordD:*][RETURN] [/UserO:<Forest1AdminUser> /PasswordO:*] For example, to create a two-way forest trust from the AD forest rallencorp.com to the AD forest othercorp.com, use the following command: > netdom trust rallencorp.com /Domain:othercorp.com /Twoway /Transitive /ADD[RETURN] /UserD:administrator@othercorp.com /PasswordD:*[RETURN] /UserO:administrator@rallencorp.com /PasswordO:* 2.16.3 DiscussionA new type of trust called a forest trust was introduced in Windows Server 2003. Under Windows 2000, if you wanted to create a fully trusted environment between two forests, you would have to set up individual external two-way trusts between every domain in both forests. If you have two forests with three domains each and wanted to set up a fully trusted model, you would need nine individual trusts. Figure 2-4 illustrates how this would look. Figure 2-4. Trusts necessary for two Windows 2000 forests to trust each otherWith a forest trust, you can define a single one-way or two-way transitive trust relationship that extends to all the domains in both forests. You may want to implement a forest trust if you merge or acquire a company and you want all of the new company's Active Directory resources to be accessible for users in your Active Directory environment and vice versa. Figure 2-5 shows a forest trust scenario. To create a forest trust, you need to use accounts from the Enterprise Admins group in each forest. Figure 2-5. Trust necessary for two Windows Server 2003 forests to trust each other |