The trust relationship between two Active Directory drill bits / domains is a trusted link that allows authenticated users to access resources in another domain.
An approval relationship may be:
Unidirectional: access to resources is only available in one direction (A) -> (B). Bidirectional: access to resources is available in both directions (A) <-> (B). Transitive: If (A) and (B) have a transitive trust relationship, if (B) approves a domain (C) it will be approved in (A).
In which case an approval relationship is required:
Setting up a child domain. Takeover / merger of business to allow resource access. SI segmentation (geography / service / …).
In this tutorial, we will see how to set up a trust relationship between two forests as if we had just acquired a company.
In order to be able to properly discuss the drills between them, it is necessary to set up a
conditional forwarder on each DNS server.
Configure the trust relationship
The manipulations were performed on a domain controller on lab.intra.
Open the Active Directory Domain and Trust console, right-click on domain
1 and click Properties 2 .
Go to the Approvals tab
1 and click on New approval 2 to launch the wizard.
When launching the wizard, click Next
Indicate the domain
1 with which the trust relationship is made and click Next 2 .
Choose Approval Type: Forest Approval
1 and click Next 2 .
Configure the direction of approval, in the example we will choose Bidirectional direction
1 and click Next 2 to validate.
Choose the option This domain and the specified domain
1 , this allows to directly create the approval on the other domain. Click Next 1 .
Enter the identifiers
1 of an Administration account in the specified domain then click Next 2 .
Choose the Authentication option for all forest resources
1 and click Next 2 .
Authentication for all forest resources will allow users from both domains to log on to all available positions. If you want to set up a Selective Authentication, I invite you to read this
Also choose Authentication for all forest resources
1 for users from the local forest to the other forest and click Next 2 .
A summary of the trust relationship is displayed, click Next
1 to create the relationship.
The trust relationship has been created, click Next
Confirm outgoing and next approval by selecting Yes
1 and clicking Next 2 .
1 to close the wizard.
We see that the trust relationship has been created.
On a controller in the other forest, also verify that the relationship has been created.
Test the trust relationship
To validate the approval, we will do 2 tests:
On a member post of the lab.intra domain, we will open a session with a user who is a member of the old.lan domain We will make a member of the domain lab.intra from a group of the domain old.lan Log on to a post in another domain
On a computer in the lan.intra domain, change the user and enter the credentials of a user from the old.lan domain by specifying his domain in the identifier.
Once the session is open, launch a command prompt and enter SET, in the screenshot below we see that the computer is in the domain lab.intra
1 and that the user is a member of the old domain. lan.
Join a group in the trusted domain
Go to the properties of a user in the lab.intra domain to add it to a group. In the group selection window, click Locations
Choose the approved domain
1 and click OK 2 .
Select a group
1 and click OK 2 to add it to it.
The user is now part of a group in the trusted domain.