Managing Active Directory trusts in Windows Server 2016

By /

Active Directory trusts can be created between Active Directory domains and Active Directory forests. A trust allows you to maintain a relationship between the two domains to ensure resources in domains can be accessed by users. All the trusts between domains in an Active Directory forest are transitive and two-way trusts. So there is no need to create a trust between domains of the same Active Directory forest, but you will be required to create a trust between domains of different Active Directory forests if you need to allow users from one domain to access resources in another domain in a different Active Directory forest. This article explains available trust types in Windows Server 2016 and how you can manage them using the built-in tools that ship when you install Active Directory on a Windows Server 2016 computer.

Types of Active Directory trusts

There are four types of Active Directory trusts available — external trusts, realm trusts, forest trusts, and shortcut trusts. Each is explained below:

  • External trust: You will create an external trust only if the resources are located in a different Active Directory forest. An external trust is always nontransitive and it can be a one-way or two-way trust.
  • Realm trust: Realm trusts are always created between the Active Directory forest and a non-Windows Kerberos directory such as eDirectory, Unix Directory, etc. The trust can be transitive and nontransitive and the trust direction can be one-way or two-way. If you are running different directories in your production environment and need to allow users to access resources in the either of the directories, you will need to establish a realm trust.
  • Forest trust: You will be required to create a forest trust if you need to allow resources to be shared between Active Directory forests. Forest trusts are always transitive and the direction can be one-way or two-way.
  • Shortcut trust: You may want to create a shortcut trust between domains of the same Active Directory forest if you need to improve the user login experience. The shortcut trust is always transitive and direction can be one-way or two-way.

Important points about Active Directory trusts

When creating Active Directory trusts, please take a note of the following points:

  • You need to have sufficient permissions to perform trust creation operation. At a minimum, you will be required to be part of domain admins or enterprise admins security group or you must have been granted necessary permissions to create trusts.
  • As part of the trust creation operation, you will be required to verify the trust between two destinations. Verification can be done by using Active Directory Domains and Trusts snap-in or Netdom command line tool.
  • When creating external or forest trusts, you can select Scope of the Authentication for users. Selective authentication allows you to restrict access to only those identities in a trusted Active Directory forest who have been given permissions to resource computers in trusting Active Directory forest. The restrict access scenario is achieved by using the Selective Authentication feature, which is applicable only for external and forest trusts.

How to create a trust

You can use Active Directory Domains and Trusts snap-in or Netdom command line tool to create the trusts explained above. For example, to create an external trust using Active Directory Domains and Trusts snap-in, follow the steps:

  1. Type Domain.msc in the search bar in Start Menu.
  2. Right-click on the domain node and then click on the Properties action.
  3. On the Trusts Tab, click on the New Trust and then click Next to show the steps.
  4. In the Trust Name field, type in the DNS name of the domain and then click Next button.
  5. In the Trust Type drop-down, select the type of trust you would like to create. Since we are creating an external trust, select External Trust and then click Next button.
  6. On the page where it says “Direction of the Trust,” select direction and then follow the on-screen steps to continue creating the trust.

To create an external trust using Netdom command line tool, execute this command:

Netdom Trust <TrustingDomain> /D:<TrustedDomain> /Add

<TrustingDomain> in the above command is the DNS domain name of the trusting domain and <TrustedDomain> is the DNS domain name of the domain that will be trusted in the trust.

Verifying trusts

Once you have created trusts, you can verify them by using Active Directory Domains and Trusts snap-in or the Netdom command line tool, but it is best to verify the trusts by using the Netdom command line tool. All you need to do is specify the DNS domain names of Trusting and Trusted domains and then add the “/Verify” switch as shown in the command below:

Netdom Trust <TrustingDomain> /D:<TrustedDomain> /Verify

Although it is easy to create trusts using the Active Directory Domains and Trusts sanp-in, when it comes to verifying the trust, using the Netdom command-line utility makes sense as it allows you to include the verification command in a batch file and run it every week to ensure the trust is in place.

Photo credit: Wikimedia

About The Author

Nirmal Sharma is a MCSEx3, MCITP and was awarded the Microsoft MVP award in Directory Services and Windows Networking. He specializes in Microsoft Azure, Office 365, Directory Services, Failover Clusters, Hyper-V, PowerShell Scripting and System Center products. Nirmal has been involved with Microsoft Technologies since 1994. In his spare time, he likes to help others and share some of his knowledge by writing tips and articles on various sites.

Read Next

Static vs Dynamic IP Address

Static vs Dynamic IP Address

Most people are familiar with Internet Protocol (IP) Addresses, but many people don’t know you have 2 types. In this article, you’ll learn about static…

Read More »

3 thoughts on “Managing Active Directory trusts in Windows Server 2016”

  1. Padma

    Hello Mr. Nirmal, I am going to set up Active Directory and Domain Controller on Windows 2016 server . That server already have few applications running. When I tried on Windows 10 the same, it didn’t affect any of my applications. What about the server? Will it impact other applications to install active directory and domain controller, then bind my application to AD? Kindly help me out.
    Regards,
    Padma

    Reply
  2. zubia

    hello mr sharma, please help me to guide me how i can upgrade schema of domain controllers on 5 different sites and if all sites are off and only primary site with one additional domain controller is ON, what i will have to do becuase when i start upgrading scheme using windows server 2016 cd on window server 2012 r2, it gives error “ldap” “error 0x”

    Reply
  3. Doug

    Creating a domain or forest trust relationship is not necessarily a part of trust relationship management. What about the other tasks of “Managing Domain and Forest Trust Relationships”?
    Validating a trust relationship is only 1 aspect or trust relationship management. You also should cover the steps to be able to perform the following trust relationship management tasks:
    Changing Authentication Scope
    Configuring Name Suffix Routing
    Removing a Trust Relationship

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top