When merging or buying a new company, the need to create a trust relationship to share resources common to two Active Directory domains or two forests may be a necessity.
To make resources available for multiple domains and forests, we will make a trust between them.
Context
For this tutorial, we have two forests, each with two domains : technology.com and information.com.
We will be working on the technology.com domain controller to create a bidirectional trust relationship. Then, we will add a global group of the domain information.com to a local group of the domain technology.com and thus inherit the associated rights to access the resources.
Prerequisites
Domain DNS servers must be able to communicate.
Procedure
DNS change
To get started, go to your domain controller. In Tools, select DNS
Then, right-click on Conditional Forwarders to add one
Enter the name of the domain to be reached in the DNS domain.
When your manipulation is complete, you will get this:
Perform the same manipulation on your second domain.
Create an forest trust
Go to your domain controller. In Tools, select Active Directory Domains and Trusts
Right click on your domain name then properties
Then, tab Trusts to choose New Trust …
Do Next >
Then fill in the DNS name
In our case, we need to create a trust relationship between two forests and bidirectional. It is essential to adapt to the steps that follow in your case.
We select the second choice
We choose two-ways
Then, Both this domain and the specified domain
To create the trust relationship, identify yourself with a specific domain administrator.
Then make your choice for the local forest.
Again, make your choice for the specified forest
A summary appears. Check and then do Next
The trust relationship is a success
Confirm the outbound Trust
Confirm the inbound Trust
Finally, do Finish
You may find that additional information is available in the properties of your domain on the Active Directory Domains and Trusts console.
You will find similar information on the domain controller of the second forest.
Adding a group from another domain
Back on the technology.com domain, go to Active Directory Users and Computers.
We select a local group from the technology.com domain. In the Members tab, we see that there is only one global group in this same domain.
Select Add. In Locations … choose the previously trusted domain to add a global group from this specified domain.
We now see that the local group has as members two global groups. One located in the field technology.com and one located in the field information.com.
When you validate your action and return to the members of your group, you will notice that the objects on the Member tab and belonging to another domain are specified by a red arrow upwards.
Members of the global group of the domain information.com inherit the rights granted to the local group of technology.com.
