You are currently viewing Setup a 2-way trust between 2 Active Directory Forests/Domains

Setup a 2-way trust between 2 Active Directory Forests/Domains

This blog describes setting up a trust between two domains/forests. In this blog, I used Microsoft Windows Server 2022. A prerequisite to making the 2-way trust work is enabling the necessary firewall ports between the domain controllers.

Check the links below to which network ports are needed for the 2-way trust.
https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/config-firewall-for-ad-domains-and-trusts

The following tasks need to be executed:

  • Setup DNS Conditional Forwarders
  • Verify connectivity between the Domain Controllers
  • Create the trust

Scenario:

  • One Domain Controller (Forest name and Domain name domainA.lan)
  • One Domain Controller (Forest name and Domain name domainB.lan)
  • Domain Controller in domainA.lan domain has the following information:
    FQDN : srv-ms-dc01.domainA.lan
    IP: 192.168.41.10
  • Domain Controller in domainB.lan domain has the following information:
    FQDN : srv-ms-dc02.domainB.lan
    IP : 192.168.41.50
  • Created on both domains a service account with the same password

Note: The domain names in the screenshot differ from those used in the blog.

Setup DNS Conditional Forwarders

This part describes how to create the DNS Conditional Forwarders with PowerShell or through the GUI.

Create DNS Conditional Forwarders with PowerShell


On the Domain Controller in domainA open PowerShell with Administrative rights and execute the following command.

Add-DnsServerConditionalForwarderZone -Name <domain name B> -MasterServers <IP Address DC in domainB>

On the Domain Controller in domainB open PowerShell with Administrative rights and execute the following command:

Add-DnsServerConditionalForwarderZone -Name <domain name A> -MasterServers <IP Address DC in domainA>

The next step is verifying if the DNS Conditional Forwarders resolve the addresses.

Open the Domain Controller in DomainA DNS Manager Snapin from the Administrative Tools. Expand the Conditional Forwarders.

Graphical user interface, application, Word

Description automatically generated

Right-click the Domain Name and select Properties.

Graphical user interface, application

Description automatically generated

Select Edit from the screenshot below.

Graphical user interface, text, application Description automatically generated

When the validation shows OK the Conditional Forwarder is working correctly.

Execute this test also on the Domain Controller of domainB.

Graphical user interface, text, application, email

Description automatically generated

When both Conditional Forwarders are correctly validated, we continue with the Trust.

Create DNS Conditional Forwarders through the GUI

Open the DNS Manager on both Domain Controllers in both Domains.

Right-click on the Conditional Forwarders and select New Conditional Forwarder.

Graphical user interface, text, application

Description automatically generated

Enter the domain name (DomainB.lan) and enter the IP Address of the Domain Controller in domainB.

Select the option Store this conditional forwarder in Active Directory, and replicate it as follows. Leave the configuration All DNS servers in this forest as it is.

Graphical user interface, text, application, email

Description automatically generated

Select OK to store the newly created Conditional Forwarder. The validation is not executed yet.

The new conditional forwarder is created. Right-click the domain name and select Properties.

Graphical user interface, text, application

Description automatically generated
Graphical user interface

Description automatically generated

The new created conditional forwarder opens and select Edit.

Graphical user interface, text, application

Description automatically generated

If the validation is correct the validation shows OK.

Graphical user interface, text, application, email

Description automatically generated

Execute the same steps on the Domain Controller in domainB.

Graphical user interface, text, application, email

Description automatically generated

Use the name of domainA and enter the IP Address of the Domain Controller of domainA. Multiple IP Addresses of Domain Controllers could be added.

Graphical user interface, text, application, email

Description automatically generated

After the creation of the conditional forwarder re-open to check if the validation is succeeded.

Graphical user interface, text, application, email

Description automatically generated

The Conditional Forwarders are now created on both domains.

Create the two-way trust between the Forest/Domain

The next step is creating the two-way trust between the 2 forests/domains.

Create the two-way trust with PowerShell

Netdom cannot be used to create a forest trust between two AD DS Forests. To create a cross-forest trust between two AD DS Forests use the script below.

Source: http://technet.microsoft.com/en-us/library/cc835085%28v=ws.10%29.aspx

The option CreateTrustRelationShip can hold 3 options:

  • Bidirectional
  • Inbound
  • Outbound

Because we are creating a two-way trust the option should be Bidirectional.

Script:

# Change following parameters
$strRemoteForest = "<domainB>"
$strRemoteAdmin = "domainB\<username>"
$strRemoteAdminPassword = "<password>
$remoteContext = New-Object -TypeName "System.DirectoryServices.ActiveDirectory.DirectoryContext" -ArgumentList @( "Forest", $strRemoteForest, $strRemoteAdmin, $strRemoteAdminPassword)
try {
        $remoteForest = [System.DirectoryServices.ActiveDirectory.Forest]::getForest($remoteContext)
        #Write-Host "GetRemoteForest: Succeeded for domain $($remoteForest)"
    }
catch {
        Write-Warning "GetRemoteForest: Failed:`n`tError: $($($_.Exception).Message)"
    }
Write-Host "Connected to Remote forest: $($remoteForest.Name)"
$localforest=[System.DirectoryServices.ActiveDirectory.Forest]::getCurrentForest()
Write-Host "Connected to Local forest: $($localforest.Name)"
try {
        $localForest.CreateTrustRelationship($remoteForest,"Bidirectional")
        Write-Host "CreateTrustRelationship: Succeeded for domain $($remoteForest)"
    }
catch {
        Write-Warning "CreateTrustRelationship: Failed for domain $($remoteForest)`n`tError: $($($_.Exception).Message)"
    } 

Open the Active Directory Domains and Trusts on the Domain Controller in domainA. Right-click the domain name and select properties.

Graphical user interface, text, application

Description automatically generated

Select the tab Trusts and check if domainB is added in the Outgoing and Incoming trust. Check this also on the Domain Controller in domainB.

Graphical user interface

Description automatically generated
Graphical user interface, application

Description automatically generated

If both Domain Controllers show the Trust the two-way trust is successfully created.

Create the two-way trust through the GUI

Open the Active Directory Domains and Trusts Snap-in from the Administrative Tools on the Domain Controller in domainA.

Graphical user interface, text, application

Description automatically generated

Right-click the domain name and select Properties.

Graphical user interface, text, application

Description automatically generated

Select the tab Trusts.

Graphical user interface, text, application

Description automatically generated

Select New Trust.

Select Next in the Welcome window.

Graphical user interface, text, application

Description automatically generated

Enter the domainB name in the field and select Next to continue.

Graphical user interface, text, application, email

Description automatically generated

Select Forest trust and select Next to continue.

Graphical user interface, text, application, email Description automatically generated

Select Two-way and select Next to continue.

Graphical user interface, text, application, email

Description automatically generated

Select Both this domain and the specified domain and select Next to continue.

Graphical user interface, text, application, email

Description automatically generated

Enter the credentials of an admin account from domainB and select Next to continue.

Graphical user interface, text, application, email

Description automatically generated

Select Forest-wide authentication and select Next to continue. Execute this twice.

Graphical user interface, text, application, email

Description automatically generated

Select Next in the Trust Selections Complete window.

Graphical user interface, text, application, email

Description automatically generated

Select Next in the Trust Creation Complete window.

Graphical user interface, text, application, email

Description automatically generated

Select Yes, confirm the outgoing trust and select Next to continue.

Graphical user interface, text, application, email

Description automatically generated

Execute this also for the Incoming Trust.

Graphical user interface, text, application, email Description automatically generated

Select Finish to finalize the two-trust configuration.

Graphical user interface, application

Description automatically generated

Check on both Domain Controllers in the Active Directory Domains and Trusts Snap-in if the trust is created on both Incoming and Outgoing.

Graphical user interface

Description automatically generated
Graphical user interface, application

Description automatically generated

This Post Has 4 Comments

  1. Gokhan

    it will be nice if you can fix the missing pictures

    1. sander

      Sorry for the inconvenience. Fixed the issue with the missing pictures.

  2. Mike Stoltzfus

    I am looking for a way to create a one-way outbound external trust (NOT transitive) using PowerShell. I have tried using the “Outbound” argument with $localForest.CreateTrustRelationship, but that still creates a one-way *Forest* trust, which is transitive. Is there a way to create an External trust using PowerShell?
    Thanks for any advice!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.