how to create a trust in windows server 2008 r2
TRANSCRIPT
How to create a trust in Windows Server 2008 R2
This tutorial will show you how to make a forest trust in Windows Server. A trust allows users in one domain to access resources in another domain. Trusts can be one-way or two-way. In a one-way trust, one domain’s users may access another domain’s resources, but not the other way around. In a two-way trust, users in both domains may access the other domain’s resources. Trusts can also be transitive or non-transitive. If two domains establish a transitive trust, it means that the domains trust each other as well as any other already trusted domains of the other domain.
Prerequisites
Before a trust can be established, DNS must be setup between the two domains; this can be accomplished in a few different ways by either using stub zones, conditional forwarders, or active directory federation services. Also, the two domains must have the same or close to the same forest functional level. You can check the forest functional level by going to Administrative Tools -> Active Directory Domains and Trusts. Then, right-click on the forest root and select Raise Forest Functional Level.
Tutorial
1. Go into Active Directory Domains and Trusts inside of Administrative Tools. Once inside you should see something similar to the next screen. Right-click the domain you would like to create a trust for and select Properties. In this tutorial, the domain we will create a trust for is called misdivision.net.
2. Inside of properties, select the Trusts tab. You should see something like the next screen. Select New Trust.
3. This is the New Trust Wizard. Select Next.
4. In this tutorial we are going to create a forest trust. For a forest trust, the trust name must be a DNS name. We are going to create a trust with a domain called globodivision.com. Select Next after specifying the trust name.
5. Here you select the trust type. A forest trust, the one we are creating, creates a transitive trust between all users on both forests specified by both forest root domains. The other option is to create an external trust between just the two domains; external trusts are non-transitive. Select Forest Trust and then select Next.
6. Here you specify the direction of the trust. A two-way trust means users in both domains can be authenticated on the other domain. One-way means that one domain’s users can be authenticated on the other domain, but not the other way around. One-way trusts can be established as incoming or outgoing, meaning that they can be setup one-way for the domain you are setting up the trust on currently or the other domain. Select Two-way and select Next.
7. Here you can set up the trust on this domain or both domains involved in the trust. Select Both this domain and the specified domain. You can only do this if you have credentials for the other domain. If you do not have credentials for the other domain, you would have to get an administrator for the other domain to create the other side of the trust. Select Next.
8. Input administrative credentials for the other domain to automatically establish the other side of the trust on that domain. Select Next when finished.
9. Here you can specify whether local forest users will automatically be authenticated for all resources on the other domain or selectively be authenticated for resources on the other domain. Forest-wide authentication is generally recommended for users within the same organization. Select Forest-wide authentication and select Next. The next screen is similar but it is for the specified forest. Again, Select Forest-wide authentication and select Next.
10. You can review the selections you have made here. Select Next when you have verified they are the selections you wanted.
11. If your trust was created successfully, you will see this next screen. There are a few reasons that you may not be able to set up a trust. DNS between the domains may not be set up properly; make sure that name servers on one domain can access servers on the other domain. Make sure
you have the correct administrator credentials for the other domain. In a lab environment, you may not be able to set up a trust if two virtual machines were deployed from the same server template.
12. The next few screens of the wizard will ask if you want to confirm both sides of the trust. Select Yes for both and select Next.
13. This is the last screen of the wizard. Select Finish after verifying the changes.
The new trust now appears under Trusts in the properties of misdivision.net.
On the domain controller of the other domain, you can verify that the trust was created by going to Administrative Tools -> Active Directory Domains and Trusts, right-click the domain, and select the Trusts tab under Properties. The other side of the trust was created automatically because we selected the Both this domain and the specified domain option in Step 7.
Once the trust has been established, you will be able to grant permissions to users to access resources on the other, trusted domain or add users to groups with permissions on the other domain.
Step-by-Step How to Create a Stub Zone in Windows Server 2008 R2
What is a stub zone?
Stub zones are a way for different DNS servers from different domains to communicate DNS information to each other. Technically speaking, a stub zone is a copy of a zone that contains only those resource records necessary to identify the authoritative DNS servers for that zone. When someone wants a resource on another DNS namespace, the user first queries his or her specified DNS server. If the DNS server (or any other DNS server on the domain) cannot resolve the query, the server sends its own query to the name servers specified by the stub zone.
Why are stub zones important?
Before a trust between two different domains in two different forests can be established, DNS must be configured between domains. Stub zones provide one solution for that.
How do I create a stub zone?
The following tutorial will tell you how to create a stub zone in Windows Server 2008 R2. In my tutorial I will reference three different servers on two different domains. All of the servers are Windows Server 2008 R2 with the Active Directoy Domain Services role and the DNS server role. Servers test1 and wg-dc2-2k8 are on the domain wgtesting.com. The server called dc1 is on the domain trusttest.com.
1. Log onto the first DNS server. Open the Server Manager administration tool and expand Forward Lookup Zones under DNS. For this tutorial test1 will be the first DNS server.
2. Right click inside of the Forward Lookup Zones area and select New Zone.
3. The New Zone Wizard will appear. Select Next.
4. A list of zones will appear. Select Stub Zone and then select Next. The option to store the stub zone in active directory will only be availabe if the DNS server is also a writable domain controller - test1 is a writable domain controller as well as a DNS server. This is useful for replicating the stub zone to other domain controllers in your network.
5. The next screen of the wizard asks how active directory will replicate the zone throughout your network. You can select whether to replicate the zone to domain controllers on the whole forest or to just domain controllers for the domain. If you did not select Store the zone in Active Directory in the last step, this step will not appear; instead you would go straight to step 6. Select an option and then select Next.
6. Here you specify a zone name. The name should simply be the name of the other domain you will be creating the stub zone for. Select Next after specifying a zone name.
7. In this step, you would specify the IP of the DNS server or servers from which you want to load the zone. The option Use the above servers to create a local list of master servers allows you to get a list of all other DNS servers. In other words, you do not have to put in the IP of every DNS server on the other domain as long as the one DNS server you specify here has a record of the other DNS servers. After specifying the IP of at least one DNS server on the other domain, select Next.
8. This is the last page of the New Zone Wizard. Verify your settings and select Finish.
9. Here you can see the contents of the stub zone. It simply contains the SOA (Start of authority) record, NS (name server) resource records, and the glue A resource records for the delegated zone.
That wraps it up. Creating a stub zone is a fairly straightforward process and can be the prerequisite to creating a trust between domains. Here are a few other things to look for after creating the stub zone.
Here I have logged onto the second domain controller/DNS server, wg-dc2-2k8, on the wgtesting.com domain. Because I selected the option for the stub zone to be stored in active directory in step 4, the zone was replicated from test1 to this server since they are both on the wgtesting.com domain.
For the purpose of later creating a trust, go ahead and create a stub zone on the other domain. Repeat steps 1-9 on the other domain’s DNS server. In this case, the server is dc1 on the domain trusttest.com.
