1. Open the Active Directory Domains and Trusts console.
2. In
the console tree, locate and right-click the domain for which you want
to configure Shortcut trust, and click Properties from the shortcut
menu.
3. When the Properties dialog box of the domain you chose opens, click the Trusts tab
4. Click the New Trust button at the bottom of the dialog box.
5. This action starts the New Trust Wizard.
6. Click Next on the Welcome To The New Trust Wizad page.
7. When
the Trust Name page opens, enter the DNS name of the other domain that
you want to create trust with. Click Next.
8. On the Direction Of Trust page, you can select one of the following options:
*Two-Way: Click this option if you want to define two-way Shortcut trust. This would mean that users in each domain would be able to access resources in both domains.
*One-Way: Incoming: This option should be enabled if you only want users of this particular domain to be able to access resources in the other domain.
*One-Way: Outgoing: This option should be selected if you want users of the other domain to be able to access resources in this particular domain.
Click Next.
*Two-Way: Click this option if you want to define two-way Shortcut trust. This would mean that users in each domain would be able to access resources in both domains.
*One-Way: Incoming: This option should be enabled if you only want users of this particular domain to be able to access resources in the other domain.
*One-Way: Outgoing: This option should be selected if you want users of the other domain to be able to access resources in this particular domain.
Click Next.
9. When the Sides Of Trust page opens, you can select one of these options:
o This Domain Only: Selecting this option creates the Shortcut trust in the local domain.
o " Both This Domain And The Specified Domain: Selecting this option creates the Shortcut trust in the local domain and in the other domain that you indicated.
Click Next
o This Domain Only: Selecting this option creates the Shortcut trust in the local domain.
o " Both This Domain And The Specified Domain: Selecting this option creates the Shortcut trust in the local domain and in the other domain that you indicated.
Click Next
10. The New
Trust Wizard displays different pages next, based on what you have
selected in the previous two steps.
11. Where
Two-Way or One-Way: Outgoing was selected in Step 8, and This Domain
Only was selected in Step 9, the wizard displays the Outgoing Trust
Authentication Level page. You can select either Domain Wide
Authentication or Selective Authentication. Choosing Domain Wide
Authentication results in the automatic authentication of users in the
other domain for network resources in the local domain. If you select
Selective Authentication, the users in the other domain are not
automatically authenticated for resources in the local domain. Click
Next. The wizard then displays the Trust Password page. This is where
you have to set the password for the trust. Click Next.
12. Where
One-Way: Incoming was selected in Step 8, and This Domain Only was
selected in Step 9, the wizard displays the Trust Password page. Enter
the password for the trust in the boxes. Click Next.
13. Where
Both This Domain And The Specified Domain was selected in Step 9, the
wizard displays the User Name And Password page. You have to provide
the user name and password of an Administrator account that has the
necessary rights in the other domain. Click Next.
14. The
Trust Selections Complete page is displayed next. All the settings that
you previously specified are shown on this page. After checking that
the configuration settings are correct, click Next.
15. The New Trust Wizard now creates the shortcut trust relationship.
16. When the Trust Creation Complete page appears, click Next.
17. The
Confirm Outgoing Trust page allows you to verify outgoing trust. Click
Yes, Confirm The Outgoing Trust or click No, Do Not Confirm The
Outgoing Trust. Click Next.
18. The
Confirm Incoming Trust page allows you to verify incoming trust. Click
Yes, Confirm The Incoming Trust or click No, Do Not Confirm The
Incoming Trust. Click Next.
19. Click Finish when the Completing The New Trust Wizard page is displayed.
How to create Realm trust using Active Directory Domains and Trusts
1. Open the Active Directory Domains and Trusts console.
2. In
the console tree, locate and right-click the domain for which you want
to configure Realm trust, and click Properties from the shortcut menu.
3. When the Properties dialog box of the domain opens, click the Trusts tab
4. Click the New Trust button at the bottom of the dialog box.
5. Click Next on the Welcome To The New Trust Wizard page.
6. When the Trust Name page opens, enter the DNS name of the other domain for the realm trust. Click Next.
7. The Trust Type page appears next. Select Realm Trust. Click Next.
8. When the Transitivity Of Trust page opens, select one of the following options:
* Nontransitive: Select this option if the Realm trust should end with the two domains betwen which it is created.
* Transitive: Select this option if you want this particular domain and all other trusted domains to create trust with the realm and other trusted realms.
Click Next
* Nontransitive: Select this option if the Realm trust should end with the two domains betwen which it is created.
* Transitive: Select this option if you want this particular domain and all other trusted domains to create trust with the realm and other trusted realms.
Click Next
9. On the Direction Of Trust page, you can select one of the following options:
* Two-Way: Click this option if you want to define two-way Realm trust. This would mean that users in the domain and realm would be able to access resources in both the domain and realm.
* One-Way: Incoming: This option should be enabled if you only want users of this particular domain to be able to access resources in the realm.
* One-Way: Outgoing: This option should be selected if you only want users of realm to be able to access resources in this particular domain.
Click Next
* Two-Way: Click this option if you want to define two-way Realm trust. This would mean that users in the domain and realm would be able to access resources in both the domain and realm.
* One-Way: Incoming: This option should be enabled if you only want users of this particular domain to be able to access resources in the realm.
* One-Way: Outgoing: This option should be selected if you only want users of realm to be able to access resources in this particular domain.
Click Next
10. The
wizard displays the Trust Password page next. Enter the password for
the trust in the boxes. Click Next.
11. The
Trust Selections Complete page is displayed next. All the settings that
you previously specified are shown on this page. After checking that
the configuration settings are correct, click Next.
12. The New Trust Wizard creates the Realm trust relationship.
13. Click Finish on the Completing The New Trust Wizard page.
How to create External trust using Active Directory Domains and Trusts
You first have to specify a DNS forwarder for each of the DNS servers that are authoritative for the trusting forests.
You use the DNS Administration tool to configure DNS forwarders,
1. Click Start, click Administrative Tools, and click DNS.
2. Right-click the DNS server, and click Properties from the shortcut menu.
3. When Properties dialog box of the DNS server opens, click the Forwarders tab.
4. Click New, and enter the DNS domain name that needs queries to be forwarded.
5. In
the Selected Domain's IP Address List, enter the IP addresses of the
servers to which these queries are forwarded.
6. Click Add
7. Click OK
8. Open the Active Directory Domains and Trusts console.
9. In
the console tree, locate and right-click the domain in the initial
forest which you want to configure External trust, and click Properties
from the shortcut menu.
10. When the Properties dialog box of the domain opens, click the Trusts tab
11. Click the New Trust button at the bottom of the dialog box.
12. Click Next on the Welcome To The New Trust Wizard page.
13. When the Trust Name page opens, enter the DNS name of the domain in the other forest. Click Next.
14. The
Trust Type page appears next if the forest functional level is raised
to Windows Server 2003 forest functional level. Select the External
Trust option. Click Next.
15. The Direction Of
Trust page is displayed straight after the Trust Name page if the
forest functional level is not raised to Windows Server 2003. You can
select one of the following options:
* Two-Way: Click this option if you want to define two-way External trust. This would mean that users in each domain would be able to access resources in both domains.
* One-Way: Incoming: This option should be enabled if you only want users of this particular domain to be able to access resources in the other domain.
* One-Way: Outgoing: This option should be selected if you only want users of the other domain to be able to access resources in this particular domain.
Click Next
* Two-Way: Click this option if you want to define two-way External trust. This would mean that users in each domain would be able to access resources in both domains.
* One-Way: Incoming: This option should be enabled if you only want users of this particular domain to be able to access resources in the other domain.
* One-Way: Outgoing: This option should be selected if you only want users of the other domain to be able to access resources in this particular domain.
Click Next
16. When the Sides Of Trust opens, you can select one of these options:
* This Domain Only: Selecting this option creates the trust in the local domain
* Both This Domain And The Specified Domain: Selecting this option creates the trust in the local domain and in the other domain.
Click Next
* This Domain Only: Selecting this option creates the trust in the local domain
* Both This Domain And The Specified Domain: Selecting this option creates the trust in the local domain and in the other domain.
Click Next
17. The New Trust Wizard displays different pages next, based on what you selected in the previous two steps.
18. Where
Two-Way or One-Way: Outgoing was selected in Step 8, and This Domain
Only was selected in Step 9, the wizad displays the Outgoing Trust
Authentication Level page. You can select either Domain Wide
Authentication or Selective Authentication. Choosing Domain Wide
Authentication results in the automatic authentication of users in the
other domain for network resources in the local domain. If you select
Selective Authentication, the users in the other domain are not
automatically authenticated for resources in the local domain. Click
Next. The wizard then displays the Trust Password page. This is where
you have to set the password for the trust. Click Next.
19. Where
One-Way: Incoming was selected in Step 8, and This Domain Only was
selected in Step 9, the wizard displays the Trust Password page. Enter
the password for the trust. Click Next.
20. Where
Both This Domain And The Specified Domain was selected in Step 9, the
wizard displays the User Name And Password page. You have to provide
the user name and password of an Administrator account that has the
necessary rights. Click Next.
21. When
the Trust Selections Complete page is displayed, the settings that you
previously specified are shown. After checking that the configuration
settings are correct, click Next.
22. The New Trust Wizard now creates the External trust.
23. When the Trust Creation Complete page appears, click Next.
24. The
Confirm Outgoing Trust page allows you to verify outgoing trust. Click
Yes, Confirm The Outgoing Trust or click No, Do Not Confirm The
Outgoing Trust. Click Next.
25. The
Confirm Incoming Trust page allows you to verify incoming trust. Click
Yes, Confirm The Incoming Trust or click No, Do Not Confirm The
Incoming Trust. Click Next.
26. Click Finish.
How to create Forest trust using Active Directory Domains and Trusts
You first have to specify a
DNS forwarder for each of the DNS servers that are authoritative for
the trusting forests before you can use the Active Directory Domains
and Trusts console to create Forest trust relationships. Use the DNS
Administration Tool to configure the necessary DNS forwarder. In
addition to this, ensure that the forest functional level for each
forest is set to Windows Server 2003 forest functional level.
1. Open the Active Directory Domains and Trusts console.
2. In
the console tree, locate and right-click the domain in the initial
forest which you want to configure Forest trust for, and click
Properties from the shortcut menu.
3. When
the Properties dialog box of the domain opens, click the Trusts tab
and then click the New Trust button.
4. In the Welcome To The New Trust Wizard page, click Next
5. Enter the DNS name of the domain in the other forest on the Trust Name page. Click Next.
6. In the Trust Type page, select the Forest Trust option. Click Next.
7. On the Direction Of Trust page select one of the following options:
* Two-Way: Click this option if you want to define two-way Forest trust. This would mean that users in each forest would be able to access resources in both forests.
* One-Way: Incoming: This option should be enabled if you only want users of this particular forest to be able to access resources in the other forest.
* One-Way: Outgoing: This option should be selected if you only want users of the other forest to be able to access resources in this particular forest.
Click Next
* Two-Way: Click this option if you want to define two-way Forest trust. This would mean that users in each forest would be able to access resources in both forests.
* One-Way: Incoming: This option should be enabled if you only want users of this particular forest to be able to access resources in the other forest.
* One-Way: Outgoing: This option should be selected if you only want users of the other forest to be able to access resources in this particular forest.
Click Next
8. When the Sides Of Trust opens, you can select one of these options:
* This Domain Only: Selecting this option creates the trust in the local forest.
* Both This Domain And The Specified Domain: Selecting this option creates the trust in the local forest and in the other forest.
Click Next
* This Domain Only: Selecting this option creates the trust in the local forest.
* Both This Domain And The Specified Domain: Selecting this option creates the trust in the local forest and in the other forest.
Click Next
9. Where Two-Way or One-Way: Outgoing was selected in Step 7, and
This Domain Only was selected in Step 8, the wizard displays the
Outgoing Trust Authentication Level page. You can select either Domain
Wide Authentication or Selective Authentication. Choosing Domain Wide
Authentication results in the automatic authenticationof users in the
other forest for network resources in the local forest. If you specify
Selective Authentication, the users in the other forest are not
automatically authenticated for resources in the local forest. Click
Next. The wizard then displays the Trust Password page. This is where
you have to set the password for the trust. Click Next.
10. Where
One-Way: Incoming was selected in Step 7, and This Domain Only was
selected in Step 8, the wizard displays the Trust Password page. Enter
the password for the trust. Click Next.
11. Where
Both This Domain And The Specified Domain was selected in Step 8, the
wizard displays the User Name And Password page. You have to provide
the user name and password of an Administrator account that has the
necessary rights. Click Next.
12. When
the Trust Selections Complete page is displayed, the settings that you
previously specified are shown. After checking that the configuration
settings are correct, click Next.
13. The New Trust Wizard now creates the Forest trust.
14. When the Trust Creation Complete page appears, click Next.
15. The
Confirm Outgoing Trust page allows you to verify outgoing trust. Click
Yes, Confirm The Outgoing Trust or click No, Do Not Confirm The
Outgoing Trust. Click Next.
16. The
Confirm Incoming Trust page allows you to verify incoming trust. Click
Yes, Confirm The Incoming Trust or click No, Do Not Confirm The
Incoming Trust. Click Next.
17. Click Finish on the Completing The New Trust Wizard page.
How to remove existing Active Directory trust relationships
1. pen the Active Directory Domains And Trusts console.
2. In
the console tree, right-click a domain that is specified in the trust
relationship which you want to remove, and select Properties from the
shortcut menu.
3. Click the Trusts tab.
4. Use the Domains Trusted By This Domain (Outgoing Trusts) box to select the trust you want to remove.
5. Click the Remove button alongside the box.
6. If
you want to remove the trust from the local domain only, click the No,
Remove The Trust From The Local Domain Only option, and click OK
7. If
you want to remove the trust from the local domain and the other
domain, click the Yes, Remove The Trust From Both The Local Domain And
The Other Domain option. Enter the appropriate user name and password
combination in the User Name and Password boxes and click OK.
8. Click Yes to verify that you want to remove the trust relationship.
9. Use the Domains That Trust This Domain (Incoming Trusts) box to select the trust you want to remove.
10. Choose the appropriate option in the Active Directory dialog box, and then click OK
11. Click Yes to verify that you want to remove the trust relationship.
How to validate existing Active Directory trust relationships
1. Open the Active Directory Domains And Trusts console
2. In
the console tree, right-click a domain that is defined in the trust
relationship which you want to validate, and select Properties from the
shortcut menu.
3. Click the Trusts tab
4. You can select the trust you want to examine in one of the following boxes:
* Domains Trusted By This Domain (Outgoing Trusts) box
* Domains That Trust This Domain (Incoming Trusts) box
* Domains That Trust This Domain (Incoming Trusts) box
5. After you have selected the trust, click the Properties button.
6. When the Properties dialog box of the trust opens, click the Validate button.
7. If
you only want to verify outgoing trust, click the No, Do Not Validate
The Incoming Trust option and click OK.
8. If
you want to verify incoming trust and outgoing trust, click Yes,
Validate The Incoming Trust option. Enter the appropriate user name and
password combination in the User Name and Password boxes and click OK
9. After the trust is validated, a message is displayed indicating this.
10. Click OK.
How to create and manage trust relationships using the Windows Domain Manager Command-lineTool
You can use the Windows
Domain Manager command line tool to create and manage Active Directory
trusts. Netdom.exe is included with the Windows Support Tools available
on the Windows Server 2003 Setup CD-ROM.
The netdom trust command is used to create and manage trusts:
netdom trust TrustingDomainName /d: TrustedDomainName [/ud:[Domain]User]
[/pd:{Password|*}] [/uo: User] [/po:{Password|*}] [/verify] [/reset] [/passwordt: NewRealmTrustPassword] [/add [/realm]] [/remove [/force]] [/twoway] [/kerberos] [/transitive[:{YES|NO}]] [/verbose]
[/pd:{Password|*}] [/uo: User] [/po:{Password|*}] [/verify] [/reset] [/passwordt: NewRealmTrustPassword] [/add [/realm]] [/remove [/force]] [/twoway] [/kerberos] [/transitive[:{YES|NO}]] [/verbose]
· TrustingDomainName, indicates the name of the trusting domain.
No comments:
Post a Comment