Active Directory: trust relationship between two forests / domains

Presentation

The trust relationship between two Active Directory drill bits / domains is a trusted link that allows authenticated users to access resources in another domain.

An approval relationship may be:

  • Unidirectional: access to resources is only available in one direction (A) -> (B).
  • Bidirectional: access to resources is available in both directions (A) <-> (B).
  • Transitive: If (A) and (B) have a transitive trust relationship, if (B) approves a domain (C) it will be approved in (A).

In which case an approval relationship is required:

  • Setting up a child domain.
  • Takeover / merger of business to allow resource access.
  • SI segmentation (geography / service / …).

In this tutorial, we will see how to set up a trust relationship between two forests as if we had just acquired a company.

Schéma relation d'approbation

Prerequisites

In order to be able to properly discuss the drills between them, it is necessary to set up a conditional forwarder on each DNS server.
redirector to domain old redirector to lab domain

Configure the trust relationship

The manipulations were performed on a domain controller on lab.intra.

Open the Active Directory Domain and Trust console, right-click on domain 1 and click Properties 2 .
Console domaine et approbation Active Directory / Active Directory Domain and Trust Console

Go to the Approvals tab 1 and click on New approval 2 to launch the wizard.
approbations / approvals

When launching the wizard, click Next 1 .
Wizard

Indicate the domain 1 with which the trust relationship is made and click Next 2 .
Domain approval / Domaine approuvé

Choose Approval Type: Forest Approval 1 and click Next 2 .
type de relation d'approbation / type of trust relationship

Configure the direction of approval, in the example we will choose Bidirectional direction 1 and click Next 2 to validate.
Direction de la relation d'approbation / Directorate of the trust relationship

Choose the option This domain and the specified domain 1 , this allows to directly create the approval on the other domain. Click Next 1 .
Config approval

Enter the identifiers 1 of an Administration account in the specified domain then click Next 2 .
credential remote domain

Choose the Authentication option for all forest resources 1 and click Next 2 .
Niveau d'authentification d'approbation / Approval authentication level

Authentication for all forest resources will allow users from both domains to log on to all available positions. If you want to set up a Selective Authentication, I invite you to read this article.

Also choose Authentication for all forest resources 1 for users from the local forest to the other forest and click Next 2 .
Niveau d'authentification d'approbation / Approval authentication level

A summary of the trust relationship is displayed, click Next 1 to create the relationship.
Resumé de la relation d'approbation / Summary of the approval relationship

The trust relationship has been created, click Next 1 .
Relation d'approbation créée / Created trust relationship

Confirm outgoing and next approval by selecting Yes 1 and clicking Next 2 .
Confirm approval Confirm approval

Click Finish 1 to close the wizard.
End

We see that the trust relationship has been created.

On a controller in the other forest, also verify that the relationship has been created.

Test the trust relationship

To validate the approval, we will do 2 tests:

  • On a member post of the lab.intra domain, we will open a session with a user who is a member of the old.lan domain
  • We will make a member of the domain lab.intra from a group of the domain old.lan

Log on to a post in another domain

On a computer in the lan.intra domain, change the user and enter the credentials of a user from the old.lan domain by specifying his domain in the identifier.
Approved domain user

Once the session is open, launch a command prompt and enter SET, in the screenshot below we see that the computer is in the domain lab.intra 1 and that the user is a member of the old domain. lan.
Approved domain user

Join a group in the trusted domain

Go to the properties of a user in the lab.intra domain to add it to a group. In the group selection window, click Locations 1 .
Add group

Choose the approved domain 1 and click OK 2 .
Select domain

Select a group 1 and click OK 2 to add it to it.
Select group

The user is now part of a group in the trusted domain.



Related Posts


Active Directory : increase the functional level of the domain and the forest

Presentation The functional level of the domain and forest corresponds to the "version" of your Active Directory environment and allows access to more or fewer features depending on the level of each.

Active Directory: Multi Site, Subnet, and Replication Configuration

Presentation In this tutorial, we will approach the notions of Active Directory sites as well as subnets. Active Directory sites can optimize management in multi-site / network infrastructures by: Man

Exchange 2016: Installation and Configuration

In this tutorial, we will see how to install and configure Exchange 2016. Exchange is a mail server designed by Microsoft, it is the professional version of Hotmail (Outlook). Environment An Active Di

Leave a Comment