TrustsTasks

Trusts are managed using the Active Directory Domains and Trusts console, which is discussed under Site earlier in this chapter. The following procedures assume that you have this console open .

Create an External Trust

External trusts are one-way trusts in which a trusting domain trusts a trusted domain. Before you create a one-way trust, you need to decide which domain is the trusting domain and which is the trusted one. The trusting domain typically contains the shared resources that need to be accessed, while the trusted one contains the user accounts that need to access these resources.

Create an External Trust Within a Forest

To create a one-way external trust between two domains in the same forest:

Right-click on trusted domain Properties Trusts New Trust specify DNS or NetBIOS name of trusting domain One-way incoming Both this domain and the specified domain specify administrator credentials

To create a two-way external trust between two domains in the same forest:

Right-click on trusted domain Properties Trusts New Trust specify DNS or NetBIOS name of trusting domain Two-way Both this domain and the specified domain specify administrator credentials

Create an External Trust Between Forests

To create a one-way external trust between two domains in different forests, first start in the forest where the trusted domain resides and do this:

Right-click on trusted domain Properties Trusts New Trust specify DNS or NetBIOS name of trusting domain One-way incoming This domain only (specify a password for the trust)

Now go to the other forest and do this:

Right-click on trusted domain Properties Trusts New Trust specify DNS or NetBIOS name of trusted domain One-way outgoing This domain only (specify same password as above for the trust) specify level of access to grant users in the trusted domain for resources in the trusting domain

To create two-way trusts, simply create two one-way trusts in opposite directions.

Create a Cross-Forest Trust

To create a cross-forest trust between two forests, first either make sure DNS servers in each forest can resolve the name of the other forest or ensure NetBIOS is enabled so you can specify the NetBIOS name of the forest instead of its DNS name. Then do this:

Right-click on a domain Properties Trusts New Trust specify DNS or NetBIOS name of trusting forest continue as previously for Create an External Trust Between Forests

Create an External Trust to a Kerberos v5 Realm

You can also create one-way trusts with non-Windows Kerberos realms by:

Right-click on trusted domain Properties Trusts New Trust specify name of trusting realm Realm trust Transitive Non-transitive One-way incoming specify a password for the trust

Then go to the Kerberos realm and create the other end of the trust using the same password.

Verify a Trust

Right-click on a domain Properties Trusts select a trusted or trusting domain Edit Verify

If the trust is working, a dialog box will confirm this. If the trust has failed, a series of dialog boxes will lead you through the process of reestablishing the trust relationship between the domains. You can verify both implicit (transitive) and explicit (external or shortcut) trusts this way.

Revoke an External Trust

Right-click on the trusted or trusting domain Properties Trusts select trusted or trusting domain Remove

You can't revoke the implicit two-way transitive trusts that are created and maintained automatically by Active Directory; you can revoke only external trusts that you have explicitly created.