Active DirectoryMicrosoft Technologies

Configuring Trusts – Part 4

This is the last part of the series which explain about “Trusts” between infrastructures. If you not checked the other 3 parts yet you can find them in here.

Configuring Trusts – Part 1
Configuring Trusts – Part 2
Configuring Trusts – Part 3

This article will explain how to configure trusts between infrastructures.

Demo Setup

For the demonstration I will be using following setup.

Organization

Domain

Primary DC

Contoso Ltd.

Contoso.com

Microsoft Windows Server 2012 R2

XYZ Ltd.

Xyz.com

Microsoft Windows Server 2012 R2

I am going to initiate a “Forest Trust” between the 2 organizations. It will be Two-Way trust which allows each forest, domains and users to access “allowed” resources in each organization infrastructure.

Before start the process the initial step is to make sure following ports are open in firewalls in both organizations to initiate the trusts.

UDP Port 88 – Kerberos Protocol
TCP and UDP Port 387 – LDAP
TCP Port 445 – Microsoft SMB
TCP Port 135 – Trust endpoint resolution

In order to initiate a trust you need to login as user account which is member of Domain Admins or Enterprise Admins groups.

Also you need to consider about the DNS ( domain name services )before proceed with the trust initiation process. If both organizations using root DNS server coming for both forests it will not be an issue. But if not you need to create DNS Zones in each forest dns servers. In here for the demo I have setup secondary dns zone with transferring copy of running DNS zone on XYZ.com. I have explain DNS zone setup in one of my previous articles in blog. If you not familiar with the process please refer to it here

dns1

1)    To start the process I will log in to contoso.com domain as enterprise administrator.

2)    Then Server Manager > Active Directory Domains and Trusts

t1

3)    In active directory domains and trust snap-in right click on contoso.com domain and click properties

t2

4)    In next window go to “Trusts” tab and click on “New Trust” button

t3

5)    It will open the “New Trust Wizard” click next to start the process

t4

6)    In next window we need to specify the DNS name or the netbios name of the domain we going to initiate trust with. In our demo it will be “xyz.com”. then click next to continue

t5

7)    In next window we need to select the trust type. I have selected “Forest Trust” and click next to continue

t6

8)    We are going to setup “Two-Way” trust so in next window I selected “Two-way” from the list and click continue

t7

9)    Trusts are need to initiate in both sides. But if you have appropriate access permissions to the remote forest, you can initiate it. In next window it give option to initiate the trust in remote forest. Since I do have access I select “Both this domain and specified domain” and click next

t8

10)    In next window I have specified the logins to initiate trust in remote forest (the account need to be member of Domain Admins or Enterprise Admins groups). Then click next to continue

t9

11)    In next windows it ask to select the authentication scope for local forest. In here I select forest-wide authentication

t10

12)     In next windows it ask to select the authentication scope for remote forest. In here I select forest-wide authentication

t11

13)    In  next window it gives brief description about the selections we made and click next to initiate the trust

t12

14)    In next window it asks about routed name suffixes for the local forest. I will use default and click next

t13

15)    In another window it asks to confirm the outgoing trust. Since we initiated the other side of trust, select yes and click next

t14

16)    Next window it asks to confirm incoming trust. Since we initiated the other side of trust, select yes and click next

t15

17)    Then it gives confirmation about the successfully create trust. Click finish to exit from wizard.

t16

18)    In remote XYZ.com we can confirm the initiate trust by looking in to domain properties like we did in steps 1-3

t17

This completes the process of creating forest-trust. The options selected on process will change based on trust type, authentication scope etc.

Testing

For the testing purpose of the trust I have created following scenario.

Contoso domain file server hosts a folder called “Share-Contoso”. We need to provide access to user account called “xyz-user” from XYZ forest to this particular folder.

After initiating the trust, when we going to apply share permission to the “Share-Contoso” folder now we can select users from the XYZ.com domain.

sh1

sh2

After applying permissions I am trying to log in to contoso file server from remote location ( here I used a pc which is not added to domain ) and once its ask to provide logins I have provided the login info for xyz-user for XYZ.com domain.

sh3

Once it’s authenticated we can see it’s provided the access to relevant share.

sh4

As we can see the trust is successfully initiated. If you have any questions feel free to contact me on rebeladm@live.com

Related posts
Cyber SecurityMicrosoft Entra IDMicrosoft Technologies

Microsoft Entra lifecycle workflows Part 02 - How to synchronize value for employeeHireDate attribute from on-premises Active Directory ?

In my previous blog post, I explained how we can automate JML (Joiners/Movers/Leavers) process by…
Read more
Azure servicesMicrosoft Entra IDMicrosoft Technologies

Step-by-Step Guide : Automate JML(Joiners/Movers/Leavers) process with Microsoft Entra lifecycle workflows

JML (Joiners/Movers/Leavers) process of an organization has a major impact on its security and…
Read more
Cyber SecurityMicrosoft DefenderMicrosoft Technologies

Microsoft Defender for Identity Part 02 – Create Directory Service Account

In Part 01 of Microsoft Defender for Identity blog series, I have explained about Microsoft Defender…
Read more
Newsletter
Become a Trendsetter

Sign up and get the best of RebelAdmin, tailored for you.

2 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *