Active Directory: trust relationship between two forests / domains


The trust relationship between two Active Directory drill bits / domains is a trusted link that allows authenticated users to access resources in another domain.

An approval relationship may be:

  • Unidirectional: access to resources is only available in one direction (A) -> (B).
  • Bidirectional: access to resources is available in both directions (A) <-> (B).
  • Transitive: If (A) and (B) have a transitive trust relationship, if (B) approves a domain (C) it will be approved in (A).

In which case an approval relationship is required:

  • Setting up a child domain.
  • Takeover / merger of business to allow resource access.
  • SI segmentation (geography / service / …).

In this tutorial, we will see how to set up a trust relationship between two forests as if we had just acquired a company.

Schéma relation d'approbation


In order to be able to properly discuss the drills between them, it is necessary to set up a conditional forwarder on each DNS server.
redirector to domain old redirector to lab domain

Configure the trust relationship

The manipulations were performed on a domain controller on lab.intra.

Open the Active Directory Domain and Trust console, right-click on domain 1 and click Properties 2 .
Console domaine et approbation Active Directory / Active Directory Domain and Trust Console

Go to the Approvals tab 1 and click on New approval 2 to launch the wizard.
approbations / approvals

When launching the wizard, click Next 1 .

Indicate the domain 1 with which the trust relationship is made and click Next 2 .
Domain approval / Domaine approuvé

Choose Approval Type: Forest Approval 1 and click Next 2 .
type de relation d'approbation / type of trust relationship

Configure the direction of approval, in the example we will choose Bidirectional direction 1 and click Next 2 to validate.
Direction de la relation d'approbation / Directorate of the trust relationship

Choose the option This domain and the specified domain 1 , this allows to directly create the approval on the other domain. Click Next 1 .
Config approval

Enter the identifiers 1 of an Administration account in the specified domain then click Next 2 .
credential remote domain

Choose the Authentication option for all forest resources 1 and click Next 2 .
Niveau d'authentification d'approbation / Approval authentication level

Authentication for all forest resources will allow users from both domains to log on to all available positions. If you want to set up a Selective Authentication, I invite you to read this article.

Also choose Authentication for all forest resources 1 for users from the local forest to the other forest and click Next 2 .
Niveau d'authentification d'approbation / Approval authentication level

A summary of the trust relationship is displayed, click Next 1 to create the relationship.
Resumé de la relation d'approbation / Summary of the approval relationship

The trust relationship has been created, click Next 1 .
Relation d'approbation créée / Created trust relationship

Confirm outgoing and next approval by selecting Yes 1 and clicking Next 2 .
Confirm approval Confirm approval

Click Finish 1 to close the wizard.

We see that the trust relationship has been created.

On a controller in the other forest, also verify that the relationship has been created.

Test the trust relationship

To validate the approval, we will do 2 tests:

  • On a member post of the lab.intra domain, we will open a session with a user who is a member of the old.lan domain
  • We will make a member of the domain lab.intra from a group of the domain old.lan

Log on to a post in another domain

On a computer in the lan.intra domain, change the user and enter the credentials of a user from the old.lan domain by specifying his domain in the identifier.
Approved domain user

Once the session is open, launch a command prompt and enter SET, in the screenshot below we see that the computer is in the domain lab.intra 1 and that the user is a member of the old domain. lan.
Approved domain user

Join a group in the trusted domain

Go to the properties of a user in the lab.intra domain to add it to a group. In the group selection window, click Locations 1 .
Add group

Choose the approved domain 1 and click OK 2 .
Select domain

Select a group 1 and click OK 2 to add it to it.
Select group

The user is now part of a group in the trusted domain.

Related Posts

Active Directory: Add a Domain Controller to PowerShell

Table Of ContentsIntroductionPrerequisitesInstalling the ADDS role in PowerShellDomain Controller Promotion in PowerShellComplements Introduction In this tutorial, we will see how to add an Active Dir

Active directory: How to set up a child domain

In this tutorial, we will see how to put a child domain in an Active Directory tree. A child domain is a subdomain of one of the component domains in your Active Directory forest. Subdomain segmentati

GPO: Folder Redirection – Advanced Settings

Table Of ContentsIntroductionPreparation of the environmentCreating Group Policy for Folder RedirectionGroup Policy Test Introduction In a previous tutorial: GPO: User Folder Redirection, I explained

Scroll to Top