How to create a cross-forest trust in Active Directory

Building a cross-forest trust permits a trust to be established between the root domain of two forests, and any child domain in either forest can have access to resources in the other forest without an explicit trust, as Windows 2000 required.

Recently, I was working with a client to resolve an issue regarding Microsoft Exchange Server working across a trust. In that situation, it became necessary to create a new trust. Although the client's admins were experienced, they had never built a cross-forest trust.

For anyone who needs a refresher on how to build a cross-forest trust, here are the steps:

Background: In our scenario, let's consider two forests, Corp.net and ABC.com. There is a child domain, NA.corp.net, in the Corp.net forest, but ABC.com is a single domain forest. Our goal will be to create a two-way trust between the Corp.net domain and the ABC.com domain. Because it's a transitive trust, the NA domain will be able to use the trust as well.

Preparation is key for a cross-forest trust

Before creating the trust, there are a few issues that need to be addressed. First, ensure that the system time is synchronized. Because Kerberos will be used for authenticating the trust, the time skew between the two forests must be within five minutes -- or whatever the time skew is set to. The best way to do this is to manually check the system time on the PDC of the root domain of each forest and set both to

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Microsoft Active Directory Design and Administration Performing a staged installation of an RODC in Windows Server 2008 Using Active Directory to manage Macs in a Windows environment Scripting domain controller installations: A must for Server Core Taming the LSASS.exe process for Active Directory performance and security Top 5 Active Directory tips of 2008 Active Directory FAQs Active Directory database basics: Performing an offline defrag Tips for Windows domain controller optimization How to rebuild the SYSVOL tree when none exists in Active Directory New AD features in Windows 2008 Active Directory Administration Using Active Directory to manage Macs in a Windows environment Troubleshooting poor Windows logon performance in Active Directory environments Common Active Directory security oversights Scripting domain controller installations: A must for Server Core Taming the LSASS.exe process for Active Directory performance and security Troubleshooting Active Directory database errors Active Directory database basics: Performing an offline defrag Branch office security: Pros and cons of read-only domain controllers Tips for Windows domain controller optimization How to rebuild the SYSVOL tree when none exists in Active Directory

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Active Directory  (SearchWindowsServer.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

point to the same external time source. If the time isn't in sync, the trust can be built but operations across it won't work because of authentication failure -- just like with any other time sync issue.

The next step is to provide DNS name resolution between the two forests. There are a number of ways to do this. In our scenario, you can configure a secondary zone for ABC.com to be hosted on the Corp.net DNS server, and a secondary zone of Corp.net on the ABC.com DNS server. The same thing could be accomplished using conditional forwarders or even simple forwarding. I prefer defining a conditional forwarder for each domain on the DNS servers in the other domains. Thus, Corp.net would be defined on ABC.com DNS servers and vice versa. After this is accomplished, make sure each domain name can be pinged from a client in the other domain.

Finally, both forests must be in Windows Server 2003 forest functional mode. Set all domains to Windows Server 2003 domain functional mode, and then set the forest mode.

Creating the trust in Active Directory

You can initiate the trust wizard from either domain, but do it from a DC -- preferably the PDC -- in the root domain of the forest.

There you have it. Although this procedure shows the creation of a two-way trust, similar steps would be used to create a one-way. Remember that the system time between the DCs in the two forests must be within the five-minute time skew and name resolution must be maintained.

Gary Olsen is a systems software engineer for Hewlett-Packard in Global Solutions Engineering. He wrote Windows 2000: Active Directory Design and Deployment and co-authored Windows Server 2003 on HP ProLiant Servers. Olsen is a Microsoft MVP for Windows Server-File Systems.

Rate this Tip To rate tips, you must be a member of SearchWindowsServer.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.