Followers

To create an external trust between two separate domain & forests



A trust is a relationship established between domains that enables users in one domain to be authenticated by a domain controller in the other domain. There are different type of trust like External, Realm, Forest and shortcut. This can be applied in both Windows Server 2003 and Windows Server 2008. External trust is necessary when users from two different domains want to access resources such as printers and files of two domains. In this article, I am going to talk about external trust.
For this article, I will consider followings.
FQDN
IP
Dc1.A.com.au
192.168.100.2
Dc2.B.com.au
192.168.200.2
Prerequisite:
  1. Both Domain controllers must ping each other by IP
  2. Proper routing necessary if resides in separate subnet
  3. Add dc1 as a host in the DNS record of dc2
  4. Add dc2 as a host in the DNS record of dc1
  5. Add dc1.A.com.au in the Name Server list in dc2
  6. Add dc2.B.com.au in the Name Server list in dc1
  7. Add 192.168.100.2 as a secondary DNS in the TCP/IP property of dc2
  8. Add 192.168.200.2 as a secondary DNS in the TCP/IP property of dc1
  9. An user account with Domain Admin and Enterprise Admin Rights
Step1: Add Host Record and Name Server record
Log on to  PDC (Dc1.A.com.au) using domain admin credentials. Start menu>Administrative Tools>DNS>Expand Name Server>Expand Forward Lookup Zones>Right Click on A.com.au
Click on New Host>Type dc2 and IP 192.168.200.2 and check Create PTR>OK
Right Click on Name Server (NS)>Click Property>Click on Name Servers Tab
Click Add>Type FQDN i.e. dc2.B.com.au and IP 192.168.200.2 click Add
Log on to PDC (Dc2.B.com.au) using domain admin credentials. Start menu>Administrative Tools>DNS>Expand Name Server>Expand Forward Lookup Zones>Right Click on B.com.au
Click on New Host>Type dc1 and IP 192.168.100.2 and check Create PTR>ok
Right Click on Name Server (NS)>Click Property>Click on Name Server Tab
Click Add>Type FQDN i.e. dc1.A.com.au and IP 192.168.100.2 click Add
Now ping both DC’s using IP, NetBios Name or FQDN and check proper reply
Step2: Creating Trust
One way Trust between two DC. Example: One way trust allows users from dc1 (outgoing) get access to dc2 (incoming) but dc2 doesn’t get access to dc1).
Creating incoming trust in dc2
1. Open Active Directory Domains and Trusts.
2. In the console tree, right-click the domain for which you want to establish a trust, and then click Properties.
3. On the Trusts tab, click New Trust, and then click Next.
4. On the Trust Name page, type the Domain Name System (DNS) name (or NetBIOS name) of the external domain, and then click Next.
5. On the Trust Type page, click External trust, and then click Next.
6. On the Direction of Trust page, click One-way: incoming, and then click Next.
7. On the Sides of Trust page, click This domain only, and then click Next.
8. On the Trust Password page, type the trust password twice, and then click Next.
With the administrator of the other domain, agree on a secure channel password to be used in establishing the trust.
9. On the Trust Selections Complete page, review the results, and then click Next.
10. On the Trust Creation Complete page, review the results, and then click Next.
11. On the Confirm Incoming Trust page, do one of the following:
· If you do not want to confirm this trust, click No, do not confirm the incoming trust.
· If you want to confirm this trust, click Yes, confirm the incoming trust, and then supply the appropriate administrative credentials from the specified domain.
12. On the Completing the New Trust Wizard page, click Finish.
Creating outgoing trust in dc1
1. Open Active Directory Domains and Trusts.
2. In the console tree, right-click the domain for which you want to establish a trust, and then click Properties.
3. On the Trusts tab, click New Trust, and then click Next.
4. On the Trust Name page, type the Domain Name System (DNS) name (or NetBIOS name) of the external domain, and then click Next.
5. On the Trust Type page, click External trust, and then click Next.
6. On the Direction of Trust page, click One-way: outgoing, and then click Next.
7. On the Sides of Trust page, click This domain only, and then click Next.
8. On the Outgoing Trust Authentication Level page, do one of the following, and then click Next:
· Click Domain-wide authentication.
· Click Selective authentication.
9. On the Trust Password page, type the trust password twice, and then click Next.
10. On the Trust Selections Complete page, review the results, and then click Next.
11. On the Trust Creation Complete page, review the results, and then click Next.
12. On the Confirm Outgoing Trust page, do one of the following:
· If you do not want to confirm this trust, click No, do not confirm the outgoing trust. Note that if you do not confirm the trust at this stage, the secure channel will not be established until the first time that the trust is used by users.
· If you want to confirm this trust, click Yes, confirm the outgoing trust, and then supply the appropriate administrative credentials from the specified domain.
13. On the Completing the New Trust Wizard page, click Finish.
if you want both sides get access to both sides then change above configuration to Both Way trust in dc1. Then Dc2 will automatically be configured with trust relation.

 Source:
 www.arihan.wordpress.com
 
Published By
S.G.Godwin Dinesh.MCA
Sr.System Administrator

No comments:

Post a Comment