How to configure the forest level trust relationship in Windows 2003 Server?

A forest level trust relationship will allows two entire forests to share resources and allows selected users to access select resources.

  1. Open Active Directory Domains And Trusts from Administrative Tools.
  2. In the console tree pane, select and right-click the domain node for the forest root for which you want to create a trust.
  3. Select Properties.
  4. Select the Trusts tab in the Properties dialog box.
  5. Click New Trust and click Next (skip the Welcome screen).
  6. On the Trust Name page, enter the DNS name of the target domain for your trust (for our example, it is and click Next.
  7. Select Forest Trust on the Trust Type page and click Next.    (If the Forest Trust option is missing, you may have omitted one of the prerequisites. In that case, double-check the DNS Forwarders tab and the forest functional level of all the domains in both forests.)
  8. Choose a direction for the trust relationship: Two-Way, One-Way Incoming, or One-Way Outgoing.
      • Two-Way: All users in both forests will be able to access all resources in both forests.
      • One-Way Incoming: All users in this forest will be able to access all resources in the other forest but not vice versa.
      • One-Way Outgoing: All users in the target forest will be able to access all resources in this forest but not vice versa
      • After you have chosen, click Next.
  9. Resource access is still governed by permissions in the domain where the resource exists. The trust direction provides access to all resources where permissions allow access. Select the sides of the trust relationship: This Domain Only or Both This Domain and the Target Domain.
      • This Domain Only: Creates the trust relationship in this domain only; an administrator on the other end will have to complete the other trust.
      • Both This Domain and the Target Domain: Requires sufficient access in the remote domain and will allow you to complete the trust setup.
  10. Select the appropriate path, depending on the choices you made in the previous two steps.
      • If you chose Two-Way or One-Way Outgoing in step 8 and This Domain Only in step 9, you will need to select a trust authentication level. Domain-Wide Authentication will authenticate all users in the remote forest for all resources in the local forest. Choosing Selective Authentication will allow you to specify which users in the remote domain have access to local resources. Click Next. Enter a password for the trust and click Next.
      • If you chose One-Way Incoming in step 8 and This Domain Only in step 9, enter the password for the trust in the Trust Password and Confirm Password boxes. Click Next.
      • If you selected both domains (this domain and the selected domain) in step 9, a username and password box will appear to allow you to enter the username and password of an administrator account in the target forest. Click Next.
  11. On the next screen, verify all of your selections. When you click Next, the wizard creates the trust. Verify the settings of the new trust.
  12. Confirm the outgoing trust. Select Yes if you created both sides of the trust; select No if you did not.
  13. Click Finish in the Creating the Trust wizard.

The new trust will appear on the Trusts tab in the Properties dialog box for the domain.


Post a Comment