Microsoft Windows – Setup Two-way Domain/Forest Trust

Release date: June 14th 2019

Welcome to my Microsoft Tips & Tricks section. In a case for a customer of mine, I was asked about VMware Horizon and multi-domain setup. As I haven’t done this in a while, I thought I should do a setup of this in my lab. This session will describe setting up the trust between two domains/forests. I will be using Microsoft Windows 2016 Server for this setup. A prerequisite for this to work, is that the necessary firewall ports are opened between the domain controllers.

I have divided this exercise into the following tasks:

  • Set up domain controller in new VLAN and ip subnet
  • Set up DNS conditional forwarders
  • Verify connectivity between domain controllers
  • Establish trust

 

Set up domain controller in new VLAN and ip subnet

First, I deploy a new vm in another VLAN, separate from my running Active Directory Controllers, to simulate a multi-domain scenario. My existing domain/forrest ad.admin.frelab.net is located in the 172.16.0.0 subnet, with these domain controllers: ad-01.ad.admin.frelab.net 172.16.0.20 and ad-02.ad.admin.frelab.net 172.16.0.18.

In my Lab environment, my new domain/forest will be in VLAN 11 with the subnet: 10.0.11.0/24. The new domain controller will have following ip setup:

SecondaryDomainAndTrust-00

Domain/forest name: frelatest.net

DNS-name: dc-01.frelabtest.net (Make sure the server-name is NOT the same as an existing domain controller in the domain you are going to trust!!!)

I won’t go through the deployment of the VM, installation of 2016, adding roles and promoting to domain controller, as I believe my audience is capable of doing this on their own. But, after having this up and running, I make sure to run the Best Practice Analyzers in Server Manager to verify functionality in my new domain.

 

Set up DNS conditional forwarders

Before I can set up trust between the domains/forests, I will need to set up DNS conditional forwarders. I could have used secondary zones, stub zones etc, but the easiest way to do this, is via conditional forwarders. I first log into my new domain controller, dc-01.frelabtest.net, and run this powershell command: “Add-DnsServerConditionalForwarderZone -Name ad.admin.frelab.net -MasterServers 172.16.0.20”

SecondaryDomainAndTrust-01

 

In DNS manager, the new conditional forwarder is now present.

SecondaryDomainAndTrust-02

 

If I check out properties on my conditional forwarder, I see that it is unable to resolve.

SecondaryDomainAndTrust-03

 

I add my second domain controller in ad.admin.frelab.net, 172.16.0.18

SecondaryDomainAndTrust-04

 

I add the domain servers in ad.admin.frelab.net to the forwarders list on dc-01.frelabtest.net, in order to resolve the names of my conditional forwarders.

SecondaryDomainAndTrust-021

 

I can now verify that name resolution works on the conditional forwarder

SecondaryDomainAndTrust-022

 

Next, I log into one of my domain controllers in ad.admin.frelab.net, and add a conditional forwarder to frelabtest.net, using this powershell command:  “Add-DnsServerConditionalForwarderZone -Name frelabtest.net -MasterServers 10.0.11.20”

SecondaryDomainAndTrust-06

 

 

In DNS Manager my new forwarder is now present

SecondaryDomainAndTrust-07

I open properties on the new forwarder and select «Store this conditional forwarder in Active Directory, and replicate it», in order to replicate this dns forwarder to my other dns server in the ad.admin.frelabt.net domain.

SecondaryDomainAndTrust-07_1

 

Verify connectivity between domain controllers

Now that I have my DNS Conditional forwarders in place and name, I will do a quick check of name resolution before I proceed.

From dc-01.frelabtest.net:

SecondaryDomainAndTrust-08

 

From ad-02.ad.admin.frelab.net

SecondaryDomainAndTrust-09

 

As the name resolution is now working between the two domains, I can now proceed with establishing the trust.

 

Establish trust

To create the trust, I log into dc-01.frelabtest.net, and start the Active Directory Domains and Trust MMC. I right click frelabtest.net and open Properties

SecondaryDomainAndTrust-10

 

From the Trust tab, I click “New Trust…”

SecondaryDomainAndTrust-11

 

The New Trust Wizard launches, Next…

SecondaryDomainAndTrust-12

 

I enter the DNS-name of my existing domain/forest, ad.admin.frelab.net, Next…

SecondaryDomainAndTrust-13

 

For this lab setup, I choose Forest Trust, Next…

SecondaryDomainAndTrust-14

 

This will be a Two-way Trust, Next…

SecondaryDomainAndTrust-15

 

I will create both sides of the Trust, Next

SecondaryDomainAndTrust-16

 

To be able to create the trust in ad.admin.frelab.net, I enter credentials for a domain administrator in the AD-domain.

SecondaryDomainAndTrust-17

 

Next…

SecondaryDomainAndTrust-18

 

Next…

SecondaryDomainAndTrust-19

 

Next…

SecondaryDomainAndTrust-20

 

Next…

SecondaryDomainAndTrust-21

 

I choose to confirm the outgoing trust, Next…

SecondaryDomainAndTrust-22

 

I choose to confirm the incoming trust, Next…

SecondaryDomainAndTrust-23

 

Finish

SecondaryDomainAndTrust-24

 

My trust is now created and validated. I restart my domain controllers, probable not necessary, but a quick way to refresh active directory. As I have two domain controllers in ad.admin.frelab.net, this won’t cause any downtime.

SecondaryDomainAndTrust-25

 

 

Recommended reading: Russell Smith’s excellent post on petri.com: Configure DNS to Enable a Trust Between Two Active Directory Forests

 

Microsoft Tips & Tricks section

Disclaimer: Every tips/tricks/posting I have published here, is tried and tested in different it-solutions. It is not guaranteed to work everywhere, but is meant as a tip for other users out there. Remember, Google is your friend and don’t be afraid to steal with pride! Feel free to comment below as needed.