Active Directory: trust relationship between two forests / domains


The trust relationship between two Active Directory drill bits / domains is a trusted link that allows authenticated users to access resources in another domain.

An approval relationship may be:

  • Unidirectional: access to resources is only available in one direction (A) -> (B).
  • Bidirectional: access to resources is available in both directions (A) <-> (B).
  • Transitive: If (A) and (B) have a transitive trust relationship, if (B) approves a domain (C) it will be approved in (A).

In which case an approval relationship is required:

  • Setting up a child domain.
  • Takeover / merger of business to allow resource access.
  • SI segmentation (geography / service / …).

In this tutorial, we will see how to set up a trust relationship between two forests as if we had just acquired a company.

Schéma relation d'approbation


In order to be able to properly discuss the drills between them, it is necessary to set up a conditional forwarder on each DNS server.
redirector to domain old redirector to lab domain

Configure the trust relationship

The manipulations were performed on a domain controller on lab.intra.

Open the Active Directory Domain and Trust console, right-click on domain 1 and click Properties 2 .
Console domaine et approbation Active Directory / Active Directory Domain and Trust Console

Go to the Approvals tab 1 and click on New approval 2 to launch the wizard.
approbations / approvals

When launching the wizard, click Next 1 .

Indicate the domain 1 with which the trust relationship is made and click Next 2 .
Domain approval / Domaine approuvé

Choose Approval Type: Forest Approval 1 and click Next 2 .
type de relation d'approbation / type of trust relationship

Configure the direction of approval, in the example we will choose Bidirectional direction 1 and click Next 2 to validate.
Direction de la relation d'approbation / Directorate of the trust relationship

Choose the option This domain and the specified domain 1 , this allows to directly create the approval on the other domain. Click Next 1 .
Config approval

Enter the identifiers 1 of an Administration account in the specified domain then click Next 2 .
credential remote domain

Choose the Authentication option for all forest resources 1 and click Next 2 .
Niveau d'authentification d'approbation / Approval authentication level

Authentication for all forest resources will allow users from both domains to log on to all available positions. If you want to set up a Selective Authentication, I invite you to read this article.

Also choose Authentication for all forest resources 1 for users from the local forest to the other forest and click Next 2 .
Niveau d'authentification d'approbation / Approval authentication level

A summary of the trust relationship is displayed, click Next 1 to create the relationship.
Resumé de la relation d'approbation / Summary of the approval relationship

The trust relationship has been created, click Next 1 .
Relation d'approbation créée / Created trust relationship

Confirm outgoing and next approval by selecting Yes 1 and clicking Next 2 .
Confirm approval Confirm approval

Click Finish 1 to close the wizard.

We see that the trust relationship has been created.

On a controller in the other forest, also verify that the relationship has been created.

Test the trust relationship

To validate the approval, we will do 2 tests:

  • On a member post of the lab.intra domain, we will open a session with a user who is a member of the old.lan domain
  • We will make a member of the domain lab.intra from a group of the domain old.lan

Log on to a post in another domain

On a computer in the lan.intra domain, change the user and enter the credentials of a user from the old.lan domain by specifying his domain in the identifier.
Approved domain user

Once the session is open, launch a command prompt and enter SET, in the screenshot below we see that the computer is in the domain lab.intra 1 and that the user is a member of the old domain. lan.
Approved domain user

Join a group in the trusted domain

Go to the properties of a user in the lab.intra domain to add it to a group. In the group selection window, click Locations 1 .
Add group

Choose the approved domain 1 and click OK 2 .
Select domain

Select a group 1 and click OK 2 to add it to it.
Select group

The user is now part of a group in the trusted domain.

How useful was this post?

Click on a star to rate it!

Average rating / 5. Vote count:

We are sorry that this post was not useful for you!

Let us improve this post!

Related Posts

Setting up a read-only domain controller – RODC
Introduction In this article, we are going to have how to set up a read-only domain controller (RODC). This type of controller, as the name suggests, is read-only, so it can not change user attributes or even add objects. There are several implementa

Active Directory : increase the functional level of the domain and the forest
Presentation The functional level of the domain and forest corresponds to the "version" of your Active Directory environment and allows access to more or fewer features depending on the level of each. Mainly this level change occurs when upgrading to

Printer mapping: GPO and Script
When setting up an Active Directory, one of the things you want to set up automatically is the printer mapping to the different users. Before setting up GPOs, you must have shared your printers. As for mapping network drives, I'll introduce you to tw

Leave a Comment