Creating and Administering Trusts 2003

When creating a trust you will need to verify  that both domains can see each other and resolve names. This may involve configuring the respective Domain’s DNS servers.

Use the buttons below to navigate through the lesson

Trusts are managed through the Active Directory Domains and Trusts console. Click on Start. Select Administrative Tools. Select Active Directory Domains and Trusts.

The Active Directory Domains and Trusts console will appear for the first domain; puma.com. Right-click on puma.com to view its properties. Select Properties. Select the Trusts tab. Currently this domain trusts no other domains. Click on New Trust to create a new trust. The New Trust Wizard will appear.  Click on Next to continue. Type the full DNS name of the domain to be trusted. Click Next to continue. The Trust Type page will appear. Select External Trust and click Next to continue.

The wizard will then ask for the direction of the trust. Select Two-way and click Next to continue. Select Both this domain and the specified domain to create the trust in both domains. N.B. You will need the appropriate permissions in the other domain to create trusts. Click Next to continue. Type in the User Name and Password of the specified Domain’s administrator. Click Next to continue. Select the authentication level for the trust and click Next to continue.

A summary page will appear, review all of the settings and click on Next to create the trust. The wizard informs you that the trust has been created. Click on Next to configure the trust. The Confirm Outgoing Trust page appears. The trust can only be confi rmed if both sides have been created. Click on Next to continue. The Confirm Incoming Trust page appears. The trust can only be confirmed if both sides have been created. Click on Next to continue. The New Trust is successfully created. Select Finish.

Creating Trusts

Once the trust has been established on the first domain it will need to be verified on the selected domain. The ES-NET domain currently has no domains within the same forest. Right-click on ES-NET.co.uk to manage trusts for this domain. Select Properties. Select the Trusts tab. The trust has been created automatically on the ES-NET domain. To verify this trust select the Puma domain. Select Properties. Click Validate. Select Yes, validate the incoming trust. Type in the user name and password of the domain administrator. Click OK to continue. The trust has been validated and is active. Click OK to continue. The trusts are now active and user accounts can now be accessed on either domain. es-net.co.uk now trusts puma.com and vice versa. N.B. The trust is not transitive and the other domains in the forest will not automatically trust puma.com.

Creating a Cross Forest Trust

Before creating a Cross Forest Transitive trust verify that both forests are configured with the Windows Server 2003 forest-functional level. Open the Active Directory Domains and Trusts console from the first forest; puma.com and Right-click on the forest to view its properties. Select Properties. Select the Trusts tab. Currently this domain trusts no other domains. Click on New Trust to create a new trust. The New Trust Wizard will appear  Click on Next to continue. Type the full DNS name of the forest to be trusted. Click on Next to continue. From the trust type page Select Forest Trust and click Next to continue. Select Two-way  and click Next to continue. To create the trust on both sides select Both this domain and the specified domain and click Next. Type in User Name and Password of the specified Domain’s Administrator. Click Next to continue. Select the authentication level for the local forest and Click Next to continue. The Trust Selections Complete page will appear. Review your settings and click Next to continue. The Trust Creation Complete page appears. Click Next to configure the newly created trust. The Confirm Outgoing Trust page appears. The trust can only be confirmed if both sides have been created. Click on Next to continue. The Confirm incoming Trust page appears. The trust can only be confirmed if both sides have been created. Click on Next to continue. The New Trust is successfully created. Select Finish. The Active Directory Domains and Trusts console now shows a Forest trust with ES-NET.

Selective Authentication

When creating a trust you are given the choice to use Domain/Forest wide authentication or selective authentication. Domain/Forest wide authentication will allow all users in the domain to access resources using the trust.  Selective Authentication allows you to specify who can access resources by using the Allow to Authenticate permission. Selective Authentication requires the advanced view to be enabled from Active Directory Users and Computers. Click View. Select Advanced Features. Select the Computers folder. Right-click the selected computer. Click Properties. Select the Security tab. The ACL for the computer is displayed. Users from the trusted domain can now be added.  Geoff Prior a user from the ES-NET domain has been added. Select Allowed to Authenticate. The ES-NET user is now Allowed to Authenticate, to this selected computer only.