Managing Active Directory trusts in Windows Server 2016

Active Directory trusts can be created between Active Directory domains and Active Directory forests. A trust allows you to maintain a relationship between the two domains to ensure resources in domains can be accessed by users. All the trusts between domains in an Active Directory forest are transitive and two-way trusts. So there is no need to create a trust between domains of the same Active Directory forest, but you will be required to create a trust between domains of different Active Directory forests if you need to allow users from one domain to access resources in another domain in a different Active Directory forest. This article explains available trust types in Windows Server 2016 and how you can manage them using the built-in tools that ship when you install Active Directory on a Windows Server 2016 computer.

Types of Active Directory trusts

There are four types of Active Directory trusts available — external trusts, realm trusts, forest trusts, and shortcut trusts. Each is explained below:

  • External trust: You will create an external trust only if the resources are located in a different Active Directory forest. An external trust is always nontransitive and it can be a one-way or two-way trust.
  • Realm trust: Realm trusts are always created between the Active Directory forest and a non-Windows Kerberos directory such as eDirectory, Unix Directory, etc. The trust can be transitive and nontransitive and the trust direction can be one-way or two-way. If you are running different directories in your production environment and need to allow users to access resources in the either of the directories, you will need to establish a realm trust.
  • Forest trust: You will be required to create a forest trust if you need to allow resources to be shared between Active Directory forests. Forest trusts are always transitive and the direction can be one-way or two-way.
  • Shortcut trust: You may want to create a shortcut trust between domains of the same Active Directory forest if you need to improve the user login experience. The shortcut trust is always transitive and direction can be one-way or two-way.

Important points about Active Directory trusts

When creating Active Directory trusts, please take a note of the following points:

  • You need to have sufficient permissions to perform trust creation operation. At a minimum, you will be required to be part of domain admins or enterprise admins security group or you must have been granted necessary permissions to create trusts.
  • As part of the trust creation operation, you will be required to verify the trust between two destinations. Verification can be done by using Active Directory Domains and Trusts snap-in or Netdom command line tool.
  • When creating external or forest trusts, you can select Scope of the Authentication for users. Selective authentication allows you to restrict access to only those identities in a trusted Active Directory forest who have been given permissions to resource computers in trusting Active Directory forest. The restrict access scenario is achieved by using the Selective Authentication feature, which is applicable only for external and forest trusts.

How to create a trust

You can use Active Directory Domains and Trusts snap-in or Netdom command line tool to create the trusts explained above. For example, to create an external trust using Active Directory Domains and Trusts snap-in, follow the steps:

  1. Type Domain.msc in the search bar in Start Menu.
  2. Right-click on the domain node and then click on the Properties action.
  3. On the Trusts Tab, click on the New Trust and then click Next to show the steps.
  4. In the Trust Name field, type in the DNS name of the domain and then click Next button.
  5. In the Trust Type drop-down, select the type of trust you would like to create. Since we are creating an external trust, select External Trust and then click Next button.
  6. On the page where it says “Direction of the Trust,” select direction and then follow the on-screen steps to continue creating the trust.

To create an external trust using Netdom command line tool, execute this command:

Netdom Trust <TrustingDomain> /D:<TrustedDomain> /Add

<TrustingDomain> in the above command is the DNS domain name of the trusting domain and <TrustedDomain> is the DNS domain name of the domain that will be trusted in the trust.

Verifying trusts

Once you have created trusts, you can verify them by using Active Directory Domains and Trusts snap-in or the Netdom command line tool, but it is best to verify the trusts by using the Netdom command line tool. All you need to do is specify the DNS domain names of Trusting and Trusted domains and then add the “/Verify” switch as shown in the command below:

Netdom Trust <TrustingDomain> /D:<TrustedDomain> /Verify

Although it is easy to create trusts using the Active Directory Domains and Trusts sanp-in, when it comes to verifying the trust, using the Netdom command-line utility makes sense as it allows you to include the verification command in a batch file and run it every week to ensure the trust is in place.

Photo credit: Wikimedia

Nirmal Sharma

Nirmal Sharma is a MCSEx3, MCITP and was awarded the Microsoft MVP award in Directory Services and Windows Networking. He specializes in Microsoft Azure, Office 365, Directory Services, Failover Clusters, Hyper-V, PowerShell Scripting and System Center products. Nirmal has been involved with Microsoft Technologies since 1994. In his spare time, he likes to help others and share some of his knowledge by writing tips and articles on various sites.

Share
Published by
Nirmal Sharma

Recent Posts

Key to success: Tracking down and unlocking locked files in Windows

Locked files in Windows can be a maddening experience. Thankfully, it is usually relatively easy to get a locked file…

14 hours ago

‘Made By Google’ 2019: Pixel 4 and Pixel 4 XL are finally official

The release of Google’s much-awaited new smartphones is official. The tech giant has unveiled the Pixel 4 and Pixel 4…

19 hours ago

COBIT 2019: An effective governance framework for IT pros

Every business with IT as part of its foundation needs a comprehensive governance strategy. This is where COBIT 2019 comes…

22 hours ago

WAN optimization: Fast tips to get your network up to speed

A wide-area network gradually slows down over time for several reasons. These WAN optimization tips can help you regain some…

2 days ago

Review: Self-service key recovery solution Specops Key Recovery

Helpdesks spend way too much of their time unlocking users’ computers. Specops Key Recovery is a self-service solution for this…

2 days ago

CSI: Enterprise Software (Episode 23): Follow the breadcrumbs

Managing software in today’s enterprise is often like working a crime scene. But by following the breadcrumbs, you can keep…

2 days ago