A trust is a relationship established between domains that
enables users in one domain to be authenticated by a domain controller in the
other domain. There are different type of trust like External, Realm, Forest
and shortcut. This can be applied in both Windows Server 2003 and Windows
Server 2008. External trust is necessary when users from two different domains
want to access resources such as printers and files of two domains. In this
article, I am going to talk about external trust.
For this article, I will consider followings.
FQDN
|
IP
|
Dc1.A.com.au
|
192.168.100.2
|
Dc2.B.com.au
|
192.168.200.2
|
Prerequisite:
- Both Domain controllers must ping each other by IP
- Proper routing necessary if resides in separate subnet
- Add dc1 as a host in the DNS record of dc2
- Add dc2 as a host in the DNS record of dc1
- Add dc1.A.com.au in the Name Server list in dc2
- Add dc2.B.com.au in the Name Server list in dc1
- Add 192.168.100.2 as a secondary DNS in the TCP/IP property of dc2
- Add 192.168.200.2 as a secondary DNS in the TCP/IP property of dc1
- An user account with Domain Admin and Enterprise Admin Rights
Step1: Add Host Record and Name
Server record
Log on to PDC (Dc1.A.com.au) using domain admin
credentials. Start menu>Administrative Tools>DNS>Expand Name Server>Expand
Forward Lookup Zones>Right Click on A.com.au
Click on New Host>Type dc2 and IP 192.168.200.2
and check Create PTR>OK
Right Click on Name Server (NS)>Click
Property>Click on Name Servers Tab
Click Add>Type FQDN i.e. dc2.B.com.au and IP
192.168.200.2 click Add
Log on to PDC (Dc2.B.com.au) using domain admin credentials.
Start menu>Administrative Tools>DNS>Expand Name Server>Expand
Forward Lookup Zones>Right Click on B.com.au
Click on New Host>Type dc1 and IP 192.168.100.2
and check Create PTR>ok
Right Click on Name Server (NS)>Click Property>Click
on Name Server Tab
Click Add>Type FQDN i.e. dc1.A.com.au and IP
192.168.100.2 click Add
Now ping both DC’s using IP, NetBios Name or FQDN and check
proper reply
Step2: Creating Trust
One way Trust between two DC.
Example: One way trust allows users from dc1 (outgoing) get access to dc2
(incoming) but dc2 doesn’t get access to dc1).
Creating incoming trust in dc2
1. Open Active Directory Domains and Trusts.
2. In the console tree, right-click the domain for which you
want to establish a trust, and then click Properties.
3. On the Trusts tab, click New Trust, and
then click Next.
4. On the Trust Name page, type the Domain Name
System (DNS) name (or NetBIOS name) of the external domain, and then click Next.
5. On the Trust Type page, click External trust,
and then click Next.
6. On the Direction of Trust page, click One-way:
incoming, and then click Next.
7. On the Sides of Trust page, click This domain
only, and then click Next.
8. On the Trust Password page, type the trust
password twice, and then click Next.
With the administrator of the other domain, agree on a
secure channel password to be used in establishing the trust.
9. On the Trust Selections Complete page, review the
results, and then click Next.
10. On the Trust Creation Complete page, review the
results, and then click Next.
11. On the Confirm Incoming Trust page, do one of the
following:
· If you do not want to confirm this trust, click No, do
not confirm the incoming trust.
· If you want to confirm this trust, click Yes, confirm
the incoming trust, and then supply the appropriate administrative
credentials from the specified domain.
12. On the Completing the New Trust Wizard page,
click Finish.
Creating outgoing trust in dc1
1. Open Active Directory Domains and Trusts.
2. In the console tree, right-click the domain for which you
want to establish a trust, and then click Properties.
3. On the Trusts tab, click New Trust, and
then click Next.
4. On the Trust Name page, type the Domain Name
System (DNS) name (or NetBIOS name) of the external domain, and then click Next.
5. On the Trust Type page, click External trust,
and then click Next.
6. On the Direction of Trust page, click One-way:
outgoing, and then click Next.
7. On the Sides of Trust page, click This domain
only, and then click Next.
8. On the Outgoing Trust Authentication Level page,
do one of the following, and then click Next:
· Click Domain-wide authentication.
· Click Selective authentication.
9. On the Trust Password page, type the trust
password twice, and then click Next.
10. On the Trust Selections Complete page, review the
results, and then click Next.
11. On the Trust Creation Complete page, review the
results, and then click Next.
12. On the Confirm Outgoing Trust page, do one of the
following:
· If you do not want to confirm this trust, click No, do
not confirm the outgoing trust. Note that if you do not confirm the trust
at this stage, the secure channel will not be established until the first time
that the trust is used by users.
· If you want to confirm this trust, click Yes, confirm
the outgoing trust, and then supply the appropriate administrative
credentials from the specified domain.
13. On the Completing the New Trust Wizard page,
click Finish.
if you want both sides get access to
both sides then change above configuration to Both Way trust in dc1. Then Dc2
will automatically be configured with trust relation.
Source:
www.arihan.wordpress.com
Published By
S.G.Godwin Dinesh.MCA
Sr.System Administrator
No comments:
Post a Comment