Active Directory trusts can be created between Active Directory domains and Active Directory forests. A trust allows you to maintain a relationship between the two domains to ensure resources in domains can be accessed by users. All the trusts between domains in an Active Directory forest are transitive and two-way trusts. So there is no need to create a trust between domains of the same Active Directory forest, but you will be required to create a trust between domains of different Active Directory forests if you need to allow users from one domain to access resources in another domain in a different Active Directory forest. This article explains available trust types in Windows Server 2016 and how you can manage them using the built-in tools that ship when you install Active Directory on a Windows Server 2016 computer.
Types of Active Directory trusts
There are four types of Active Directory trusts available — external trusts, realm trusts, forest trusts, and shortcut trusts. Each is explained below:
- External trust: You will create an external trust only if the resources are located in a different Active Directory forest. An external trust is always nontransitive and it can be a one-way or two-way trust.
- Realm trust: Realm trusts are always created between the Active Directory forest and a non-Windows Kerberos directory such as eDirectory, Unix Directory, etc. The trust can be transitive and nontransitive and the trust direction can be one-way or two-way. If you are running different directories in your production environment and need to allow users to access resources in the either of the directories, you will need to establish a realm trust.
- Forest trust: You will be required to create a forest trust if you need to allow resources to be shared between Active Directory forests. Forest trusts are always transitive and the direction can be one-way or two-way.
- Shortcut trust: You may want to create a shortcut trust between domains of the same Active Directory forest if you need to improve the user login experience. The shortcut trust is always transitive and direction can be one-way or two-way.
Important points about Active Directory trusts
When creating Active Directory trusts, please take a note of the following points:
- You need to have sufficient permissions to perform trust creation operation. At a minimum, you will be required to be part of domain admins or enterprise admins security group or you must have been granted necessary permissions to create trusts.
- As part of the trust creation operation, you will be required to verify the trust between two destinations. Verification can be done by using Active Directory Domains and Trusts snap-in or Netdom command line tool.
- When creating external or forest trusts, you can select Scope of the Authentication for users. Selective authentication allows you to restrict access to only those identities in a trusted Active Directory forest who have been given permissions to resource computers in trusting Active Directory forest. The restrict access scenario is achieved by using the Selective Authentication feature, which is applicable only for external and forest trusts.
How to create a trust
You can use Active Directory Domains and Trusts snap-in or Netdom command line tool to create the trusts explained above. For example, to create an external trust using Active Directory Domains and Trusts snap-in, follow the steps:
- Type Domain.msc in the search bar in Start Menu.
- Right-click on the domain node and then click on the Properties action.
- On the Trusts Tab, click on the New Trust and then click Next to show the steps.
- In the Trust Name field, type in the DNS name of the domain and then click Next button.
- In the Trust Type drop-down, select the type of trust you would like to create. Since we are creating an external trust, select External Trust and then click Next button.
- On the page where it says “Direction of the Trust,” select direction and then follow the on-screen steps to continue creating the trust.
To create an external trust using Netdom command line tool, execute this command:
Netdom Trust <TrustingDomain> /D:<TrustedDomain> /Add
<TrustingDomain> in the above command is the DNS domain name of the trusting domain and <TrustedDomain> is the DNS domain name of the domain that will be trusted in the trust.
Once you have created trusts, you can verify them by using Active Directory Domains and Trusts snap-in or the Netdom command line tool, but it is best to verify the trusts by using the Netdom command line tool. All you need to do is specify the DNS domain names of Trusting and Trusted domains and then add the “/Verify” switch as shown in the command below:
Netdom Trust <TrustingDomain> /D:<TrustedDomain> /Verify
Although it is easy to create trusts using the Active Directory Domains and Trusts sanp-in, when it comes to verifying the trust, using the Netdom command-line utility makes sense as it allows you to include the verification command in a batch file and run it every week to ensure the trust is in place.
Photo credit: Wikimedia