Active Directory – How to create forest trust

When merging or buying a new company, the need to create a trust relationship to share resources common to two Active Directory domains or two forests may be a necessity.

To make resources available for multiple domains and forests, we will make a trust between them.


For this tutorial, we have two forests, each with two domains : and

We will be working on the domain controller to create a bidirectional trust relationship. Then, we will add a global group of the domain to a local group of the domain and thus inherit the associated rights to access the resources.


Domain DNS servers must be able to communicate.


DNS change

To get started, go to your domain controller. In Tools, select DNS


Then, right-click on Conditional Forwarders to add one


Enter the name of the domain to be reached in the DNS domain.


When your manipulation is complete, you will get this:


Perform the same manipulation on your second domain.


Create an forest trust

Go to your domain controller. In Tools, select Active Directory Domains and Trusts

Right click on your domain name then properties

Then, tab Trusts to choose New Trust …


Do Next >


Then fill in the DNS name


In our case, we need to create a trust relationship between two forests and bidirectional. It is essential to adapt to the steps that follow in your case.

We select the second choice


We choose two-ways


Then, Both this domain and the specified domain


To create the trust relationship, identify yourself with a specific domain administrator.


Then make your choice for the local forest.


Again, make your choice for the specified forest


A summary appears. Check and then do Next


The trust relationship is a success


Confirm the outbound Trust


Confirm the inbound Trust

Finally, do Finish


You may find that additional information is available in the properties of your domain on the Active Directory Domains and Trusts console.


You will find similar information on the domain controller of the second forest.


Adding a group from another domain

Back on the domain, go to Active Directory Users and Computers.


We select a local group from the domain. In the Members tab, we see that there is only one global group in this same domain.


Select Add. In Locations … choose the previously trusted domain to add a global group from this specified domain.


We now see that the local group has as members two global groups. One located in the field and one located in the field


When you validate your action and return to the members of your group, you will notice that the objects on the Member tab and belonging to another domain are specified by a red arrow upwards.


Members of the global group of the domain inherit the rights granted to the local group of


Please follow and like us:
Microsoft engineer and Virtualization, I am at first computer-savvy. I share my time between this website, my engineering job and an intense sporting activity.