2.16. Creating a Transitive Trust Between Two AD Forests

Warning

This recipe requires the Windows Server 2003 forest functional level in both forests.

Problem

You want to create a transitive trust between two AD forests. This causes the domains in both forests to trust each other without the need for additional trusts.

Solution

Using a graphical user interface

  1. Open the Active Directory Domains and Trusts snap-in.

  2. In the left pane, right click the forest root domain and select Properties.

  3. Click on the Trusts tab.

  4. Click the New Trust button.

  5. After the New Trust Wizard opens, click Next.

  6. Type the DNS name of the AD forest and click Next.

  7. Select Forest trust and click Next.

  8. Complete the wizard by stepping through the rest of the configuration screens.

Using a command-line interface

> netdom trust <Forest1DNSName> /Domain:<Forest2DNSName> /Twoway /Transitive /ADD[RETURN]
         [/UserD:<Forest2AdminUser> /PasswordD:*][RETURN]
         [/UserO:<Forest1AdminUser> /PasswordO:*]

For example, to create a two-way forest trust from the AD forest rallencorp.com to the AD forest othercorp.com, use the following command:

> netdom trust rallencorp.com /Domain:othercorp.com /Twoway /Transitive /ADD[RETURN]
         /UserD:administrator@othercorp.com /PasswordD:*[RETURN]
         /UserO:administrator@rallencorp.com /PasswordO:*

Discussion

A new type of trust called a forest trust was introduced in Windows Server 2003. Under Windows 2000, if you wanted to create a fully trusted environment between two forests, you would have to set up individual ...

Get Active Directory Cookbook now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial