Managing Active Directory trusts in Windows Server 2016

Active Directory trusts can be created between Active Directory domains and Active Directory forests. A trust allows you to maintain a relationship between the two domains to ensure resources in domains can be accessed by users. All the trusts between domains in an Active Directory forest are transitive and two-way trusts. So there is no need to create a trust between domains of the same Active Directory forest, but you will be required to create a trust between domains of different Active Directory forests if you need to allow users from one domain to access resources in another domain in a different Active Directory forest. This article explains available trust types in Windows Server 2016 and how you can manage them using the built-in tools that ship when you install Active Directory on a Windows Server 2016 computer.

Types of Active Directory trusts

There are four types of Active Directory trusts available — external trusts, realm trusts, forest trusts, and shortcut trusts. Each is explained below:

  • External trust: You will create an external trust only if the resources are located in a different Active Directory forest. An external trust is always nontransitive and it can be a one-way or two-way trust.
  • Realm trust: Realm trusts are always created between the Active Directory forest and a non-Windows Kerberos directory such as eDirectory, Unix Directory, etc. The trust can be transitive and nontransitive and the trust direction can be one-way or two-way. If you are running different directories in your production environment and need to allow users to access resources in the either of the directories, you will need to establish a realm trust.
  • Forest trust: You will be required to create a forest trust if you need to allow resources to be shared between Active Directory forests. Forest trusts are always transitive and the direction can be one-way or two-way.
  • Shortcut trust: You may want to create a shortcut trust between domains of the same Active Directory forest if you need to improve the user login experience. The shortcut trust is always transitive and direction can be one-way or two-way.

Important points about Active Directory trusts

When creating Active Directory trusts, please take a note of the following points:

  • You need to have sufficient permissions to perform trust creation operation. At a minimum, you will be required to be part of domain admins or enterprise admins security group or you must have been granted necessary permissions to create trusts.
  • As part of the trust creation operation, you will be required to verify the trust between two destinations. Verification can be done by using Active Directory Domains and Trusts snap-in or Netdom command line tool.
  • When creating external or forest trusts, you can select Scope of the Authentication for users. Selective authentication allows you to restrict access to only those identities in a trusted Active Directory forest who have been given permissions to resource computers in trusting Active Directory forest. The restrict access scenario is achieved by using the Selective Authentication feature, which is applicable only for external and forest trusts.

How to create a trust

You can use Active Directory Domains and Trusts snap-in or Netdom command line tool to create the trusts explained above. For example, to create an external trust using Active Directory Domains and Trusts snap-in, follow the steps:

  1. Type Domain.msc in the search bar in Start Menu.
  2. Right-click on the domain node and then click on the Properties action.
  3. On the Trusts Tab, click on the New Trust and then click Next to show the steps.
  4. In the Trust Name field, type in the DNS name of the domain and then click Next button.
  5. In the Trust Type drop-down, select the type of trust you would like to create. Since we are creating an external trust, select External Trust and then click Next button.
  6. On the page where it says “Direction of the Trust,” select direction and then follow the on-screen steps to continue creating the trust.

To create an external trust using Netdom command line tool, execute this command:

Netdom Trust <TrustingDomain> /D:<TrustedDomain> /Add

<TrustingDomain> in the above command is the DNS domain name of the trusting domain and <TrustedDomain> is the DNS domain name of the domain that will be trusted in the trust.

Verifying trusts

Once you have created trusts, you can verify them by using Active Directory Domains and Trusts snap-in or the Netdom command line tool, but it is best to verify the trusts by using the Netdom command line tool. All you need to do is specify the DNS domain names of Trusting and Trusted domains and then add the “/Verify” switch as shown in the command below:

Netdom Trust <TrustingDomain> /D:<TrustedDomain> /Verify

Although it is easy to create trusts using the Active Directory Domains and Trusts sanp-in, when it comes to verifying the trust, using the Netdom command-line utility makes sense as it allows you to include the verification command in a batch file and run it every week to ensure the trust is in place.

Photo credit: Wikimedia

Nirmal Sharma

Nirmal Sharma is a MCSEx3, MCITP and was awarded the Microsoft MVP award in Directory Services and Windows Networking. He specializes in Microsoft Azure, Office 365, Directory Services, Failover Clusters, Hyper-V, PowerShell Scripting and System Center products. Nirmal has been involved with Microsoft Technologies since 1994. In his spare time, he likes to help others and share some of his knowledge by writing tips and articles on various sites.

Published by
Nirmal Sharma

Recent Posts

Fixing long delay before HP printer starts printing with Windows 10

Here’s a workaround that could help you fix an HP printer that always has a…

6 hours ago

How to manage and automate Azure DevOps using Azure CLI

Azure DevOps is fast becoming the next big thing. This Azure DevOps Quick Tip shows…

10 hours ago

Trench Tales: When you really need to retire that messaging platform

That old messaging platform has served you well, but maybe it’s time to move on.…

13 hours ago

Customize PowerShell with default parameters and save time

Microsoft makes it easy to set up default parameters for PowerShell. And while they may…

16 hours ago

Secret Manager security service now available for Google Cloud

Secret Manager, new from Google Cloud, is out in in beta. It provides a secure…

1 day ago

Postman API platform surpasses 10 million registered users

API development platform Postman said it has surpassed 10 million active users, a clear signal…

2 days ago