Site Tools


windows:windowsserver:activedirectory:trust

Trust

I connected 3 AD's to test the trust. They are named: AD1, AD2, AD3.

Set a trust

First you need to enable Zonetransmission on all 3 servers. To do this go to DNS → Domain → rightclick → Options → Zonetransmission → enable Zonetransmission. You also need to enter all DNS-suffix. Go to networkoptions, Internetprotocoll IP4 → options → advanced → tab DNS. Check “attach DNS-suffix” and add at the lower “add” button the DNS-suffix of the AD (ad.local,…).

Now you have to configurate a “Stubzone” for each AD. In DNS → rightclick on Forward-Lookupzone → new Zone → Stubzone → on all DNS-servers, which are listet on Domaincontrollers in the structure. You will be asked for a “Zonename”. This has to be the Domain (ad1.local….). After this add the ip of the server, then rightclick on the directory below in Reverse-Lookupzone → new Pointer (PTR), to add a new Pointer. Add the same ip as before and browse to the zone in Forward-Lookupzone to the FQDN entry.

If this is done you can add the trust of AD1 over the administrationtool “add Active Directory Domains and Trust”. To do so, rightclick on Domain → tab Trusts → new Trust. First enter a domain, for example “ad2.local”. In the next step select the “Fullstructuretrust” and Unidirectional: incoming“. Now users from AD1 can login on AD2 but AD2 cant login on AD1. Now select “for this domain and the entered domain” to create the trust on both ADs. You have to enter the Administrator and the Password and at last select “fullstructure authentification”. The rest can just be completed by clicking finish.

Users of AD1 can now login on AD2 with their username and password.

windows/windowsserver/activedirectory/trust.txt · Last modified: 2017/03/01 12:50 by 127.0.0.1