Intro
In this tutorial, we'll walk through establishing a domain "trust" between two Active Directory ("AD") domains we've created, "ad.exampledomain.com" and "ad.demodomain.com". Trusts are a commonly used feature of Active Directory in enterprise IT, and they allow one domain to grant access to resources for users of the other domain, and vice versa ("two-way" trust). For simplicity's sake, we'll write this article as if you'll be setting up both sides of the trust, but just know that the same steps would apply even if you're working with another administrator on the other domain's side.
Prerequisites
This tutorial has a few prerequisites and will make some assumptions about your environment:
1. You have two separate Active Directory ("AD") domains completely configured on their respective domain controllers
2. You have setup and confirmed connectivity between your domain controllers. The method by which your domain controllers are connected (e.g. IPSec Tunnel) is not particularly important, as long as they are able to reliably communicate with each other. Don't forget to update any DNS settings as necessary.
3. You (and/or your partner domain administrator) have securely established a shared domain trust password to use.
NOTE: This tutorial is written for Windows Server 2022 (with a Windows Server 2016 functional level domain), but the steps shown here are nearly identical for versions as old as Server 2008. The overall concepts and steps to creating an AD trust haven't changed much over the years. This tutorial does not apply to creating trusts with a Kerberos realm.
Steps
1. In Server Manager, open the "Tools" menu and select "Active Directory Domains and Trusts"
2. Right-click on the name of your domain and select "Properties"
3. In the domain Properties window, select the "Trusts" tab and click "New Trust"
4. The "New Trust Wizard" should open. Click "Next" to start configuring the trust.
5. For the new Trust Name, enter the name of the other domain, in our case, "ad.exampledomain.com"
At this point, if you're then prompted to choose a "Trust Type" of either a "Realm trust" or a "Trust with a Windows domain", this probably means that this domain controller ("DC") can't contact the controller for the other domain. Double-check connectivity between the two DC's and ensure that you've added the appropriate DNS forwarder settings.
6. If the other domain can be contacted, you'll be prompted to choose the "Trust Type", either an "External Trust" or a "Forest Trust". The decision here will be based on your specific use case, but it boils down to this: Select "External trust" if you want a 1:1 trust only between your domain and the other domain. Select "Forest Trust" if you want all domains in your forest to be trusted by all domains in the other forest, and vice versa. This is useful for larger organizations who may be using multiple domains. We're choosing "External trust" for this example.
7. Now, select the "Direction of Trust", either "Two-way", "One-way: incoming", or "One-way: outgoing". The definitions here are fairly straightforward and will, again, be determined by your specific use case. We'll choose "Two-way" for this example.
8. Now, you'll be prompted to choose the "Sides of Trust". This gives you the option to create both sides of the AD trust at the same time by selecting "This domain and the specified domain". This is very useful if you have the appropriate credentials for the other domain, as it saves you from repeating these steps on the other DC. For this example though, we'll choose "This domain only", which means we'll need to follow the same steps on our other DC before the trust will be fully configured.
9. You'll now be prompted to choose the "Outgoing Trust Authentication Level". If you want to allow users of the other domain to automatically have access (or at least, access attempts) to all resources in your domain, select "Domain-wide authentication". If you would rather manually select which resources are available, choose "Selective authentication". We're choosing "Domain-wide authentication" for this example.
10. Now, enter the trust password you decided on earlier. Remember, you'll need to enter the same password when configuring the trust on the other DC. This is essentially pre-shared key authentication.
11. Your trust should now have been created, and you'll get an overview of the configuration choices you made. Click "Next" to continue.
12. At this point, you should now follow the same steps to configure a new trust on the other domain controller (using the opposite domain when prompted, of course). Once that's done, you can optionally confirm the outgoing/ingoing trusts. To do so, you'll need appropriate credentials in the other domain.
13. You can confirm your two-way trust is setup by right-clicking on your domain in "Active Directory Domains and Trusts", selecting "Properties", and the "Trusts" tab. You should see the other domain in both incoming and outgoing trusts. You can confirm this on the opposite side as well.
Conclusion
That's it! You should now have a successfully configured AD trust between two domains. We hope this tutorial helped you, and as always, please contact Cosmistack for all of your server and infrastructure management needs!
