Active Directory: trust relationship between two forests / domains

Presentation

The trust relationship between two Active Directory drill bits / domains is a trusted link that allows authenticated users to access resources in another domain.

An approval relationship may be:

  • Unidirectional: access to resources is only available in one direction (A) -> (B).
  • Bidirectional: access to resources is available in both directions (A) <-> (B).
  • Transitive: If (A) and (B) have a transitive trust relationship, if (B) approves a domain (C) it will be approved in (A).

In which case an approval relationship is required:

  • Setting up a child domain.
  • Takeover / merger of business to allow resource access.
  • SI segmentation (geography / service / …).

In this tutorial, we will see how to set up a trust relationship between two forests as if we had just acquired a company.

Schéma relation d'approbation

Prerequisites

In order to be able to properly discuss the drills between them, it is necessary to set up a conditional forwarder on each DNS server.

Configure the trust relationship

The manipulations were performed on a domain controller on lab.intra.

Open the Active Directory Domain and Trust console, right-click on domain 1 and click Properties 2 .

Console domaine et approbation Active Directory / Active Directory Domain and Trust Console

Go to the Approvals tab 1 and click on New approval 2 to launch the wizard.

approbations / approvals

When launching the wizard, click Next 1 .

Wizard

Indicate the domain 1 with which the trust relationship is made and click Next 2 .

Domain approval / Domaine approuvé

Choose Approval Type: Forest Approval 1 and click Next 2 .

type de relation d'approbation / type of trust relationship

Configure the direction of approval, in the example we will choose Bidirectional direction 1 and click Next 2 to validate.

Direction de la relation d'approbation / Directorate of the trust relationship

Choose the option This domain and the specified domain 1 , this allows to directly create the approval on the other domain. Click Next 1 .

Config approval

Enter the identifiers 1 of an Administration account in the specified domain then click Next 2 .

credential remote domain

Choose the Authentication option for all forest resources 1 and click Next 2 .

Niveau d'authentification d'approbation / Approval authentication level

Authentication for all forest resources will allow users from both domains to log on to all available positions. If you want to set up a Selective Authentication, I invite you to read this article.

Also choose Authentication for all forest resources 1 for users from the local forest to the other forest and click Next 2 .

Niveau d'authentification d'approbation / Approval authentication level

A summary of the trust relationship is displayed, click Next 1 to create the relationship.

Resumé de la relation d'approbation / Summary of the approval relationship

The trust relationship has been created, click Next 1 .

Relation d'approbation créée / Created trust relationship

Confirm outgoing and next approval by selecting Yes 1 and clicking Next 2 .

Click Finish 1 to close the wizard.

End

We see that the trust relationship has been created.

On a controller in the other forest, also verify that the relationship has been created.

Test the trust relationship

To validate the approval, we will do 2 tests:

  • On a member post of the lab.intra domain, we will open a session with a user who is a member of the old.lan domain
  • We will make a member of the domain lab.intra from a group of the domain old.lan

Log on to a post in another domain

On a computer in the lan.intra domain, change the user and enter the credentials of a user from the old.lan domain by specifying his domain in the identifier.

Approved domain user

Once the session is open, launch a command prompt and enter SET, in the screenshot below we see that the computer is in the domain lab.intra 1 and that the user is a member of the old domain. lan.

Approved domain user

Join a group in the trusted domain

Go to the properties of a user in the lab.intra domain to add it to a group. In the group selection window, click Locations 1 .

Add group

Choose the approved domain 1 and click OK 2 .

Select domain

Select a group 1 and click OK 2 to add it to it.

Select group

The user is now part of a group in the trusted domain.





Related Posts


Active Directory : password policy – PSO

SommaireIntroductionCreate a password policyCreate a second strategyIdentify the password strategy that appliesIdentify a user's password policyIdentify a group password policyAssign an existing passw

Bitlocker : store recovery password in Active Directory

SommairePresentationPrerequisitesConfigure password recording in Active DirectoryInstall functionality to view recovery passwords in Active DirectoryConfiguring Group Policy (GPO) for Bitlocker Linkin

Active Directory: configuring dynamic access control – DAC

In this tutorial, I suggest you discover the dynamic access control available on Windows Server in an Active Directory environment. Before getting to the heart of the matter, I will introduce you to d