How to create and verify an Active Directory forest external trust

By /

You need to create trusts between Active Directory domains and Active Directory forests to ensure resources in each directory can be accessed by users in other directory depending on the requirements. There is no need to create trusts between domains in the same Active Directory forest as each domain in the same AD forest trust each other and allow resources to be accessible if the user in the resource domain is authorized to access the resources. However, in case you need to allow users from a different Active Directory forest to access resources in your production Active Directory, you will be required to create an external trust. This article explains two ways to create an external trust and also explains how you can verify the trust to ensure the trust is in place.

Setting up an external trust

Creating an external trust between Active Directory forests is very simple. However, you need to ensure that you meet the requirements mentioned below before you proceed to create the trust:

  • Make sure you log on to the Active Directory using a user account who is a member of domain admins or enterprise admins. Creating an external trust requires highest privileges as you are allowing users from a different Active Directory forest to access resources in your production Active Directory.
  • Make sure to set up the DNS correctly on both Active Directory forests. It is important to understand that setting up DNS is a mandatory requirement before the external trust can be created. It is because the domain name of Active Directory forests need to be resolved before the trust can be created. You need to create a conditional forward zone in the root DNS Server of both Active Directory forests.
  • Make sure firewall ports are opened between the two directories for the trust operation to be successful.

Once you have met these requirements, you can proceed to create an external trust. There are two ways to create the trust; using Active Directory Domains and Trusts snap-in or using the NetDom command line tool. While the NetDom command line does help in creating the trust quickly, but since creating an External trust is a one-time operation, many Active Directory Admins use Active Directory Domains and Trusts snap-in to avoid any complications and follow the easy steps provided during the trust creation wizard.

Steps to create an external trust

  1. Log on to an Active Directory domain controller using a user account who is a member of Domain Admins or Enterprise Admins security group.
  2. Open Active Directory Domains and Trusts snap-in from the Start Menu. You can also type Domain.msc in the Start Search.
  3. While in the Active Directory Domains and Trusts snap-in, right on the domain and then click on the Properties Action. In the Properties Tab, you need to navigate to “Trusts” tab.
  4. In the Trusts Tab, click on the “New Trust” button and then click Next button to show you the trust creation wizard.
  5. Here are a few items you need to consider before you proceed:
  6. If you have obtained credentials for both the Active Directory forests, you can create both sides of the External Trusts at the same time by clicking “Both This Domain and the Specified Domain” in the trust creation wizard.
  7. If you wish to allow users from the domain to gain access to all the resources in the target domain then you must click “Allow Authentication for all Resources” option which is shown on the Outgoing Trust Properties page during trust creation wizard.
  8. Next, you will be required to enter the target domain name and domain name can be in either FQDN format or NetBIOS name.
  9. On the Trust Type Page, click “External Trust” and then click Next.
  10. On the Directory of Trust Page, you can select “One-Way” or “Two-Way” trusts. Depending on your selection, you will get different options.
  11. Finally, follow the instructions provided on the wizard to finish the trust.

If you would like to create external trust using the NetDom command line tool, the following command shows how to create a two-way external trust between the local Active Directory domain and the target domain:

NetDom Trust TechGenix.com /D:Example.TechGenix.Com /Add /Twoway

There are several switches available with NetDom command line tool. For example, you can use “/SelectiveAUTH:Yes” switch to enable selective authentication scenario for the trust.

As we stated earlier, it is easy to use the Active Directory domains and trusts snap-in to create an external trust as creating an external trust is a one-time operation. However, you will be required to verify the trust regularly to ensure trust is in place. To verify the trust, it is always preferable to use the NetDom command line tool. To verify the trust using NetDomin, you will execute below command:

NetDom Trust TechGenix.com /D:Example.TechGenix.Com /Verify

Two ways to do it

We explained the process for creating an external trust between Active Directory forests using both Active Directory domains and trusts and NetDom command line tool. If the need arises, now you know how to do it.

About The Author

Nirmal Sharma is a MCSEx3, MCITP and was awarded the Microsoft MVP award in Directory Services and Windows Networking. He specializes in Microsoft Azure, Office 365, Directory Services, Failover Clusters, Hyper-V, PowerShell Scripting and System Center products. Nirmal has been involved with Microsoft Technologies since 1994. In his spare time, he likes to help others and share some of his knowledge by writing tips and articles on various sites.

Read Next

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top