Microsoft Windows – Setup Two-way Domain/Forest Trust

Release date: June 14th 2019

Welcome to my Microsoft Tips & Tricks section. In a case for a customer of mine, I was asked about VMware Horizon and multi-domain setup. As I haven’t done this in a while, I thought I should do a setup of this in my lab. This session will describe setting up the trust between two domains/forests. I will be using Microsoft Windows 2016 Server for this setup. A prerequisite for this to work, is that the necessary firewall ports are opened between the domain controllers.

I have divided this exercise into the following tasks:

  • Set up domain controller in new VLAN and ip subnet
  • Set up DNS conditional forwarders
  • Verify connectivity between domain controllers
  • Establish trust

Set up domain controller in new VLAN and ip subnet

First, I deploy a new vm in another VLAN, separate from my running Active Directory Controllers, to simulate a multi-domain scenario. My existing domain/forrest is located in the subnet, with these domain controllers: and

In my Lab environment, my new domain/forest will be in VLAN 11 with the subnet: The new domain controller will have following ip setup:

Domain/forest name:

DNS-name: (Make sure the server-name is NOT the same as an existing domain controller in the domain you are going to trust!!!)

I won’t go through the deployment of the VM, installation of 2016, adding roles and promoting to domain controller, as I believe my audience is capable of doing this on their own. But, after having this up and running, I make sure to run the Best Practice Analyzers in Server Manager to verify functionality in my new domain.

Set up DNS conditional forwarders

Before I can set up trust between the domains/forests, I will need to set up DNS conditional forwarders. I could have used secondary zones, stub zones etc, but the easiest way to do this, is via conditional forwarders. I first log into my new domain controller,, and run this powershell command:

Add-DnsServerConditionalForwarderZone -Name -MasterServers

In DNS manager, the new conditional forwarder is now present.

If I check out properties on my conditional forwarder, I see that it is unable to resolve.

I add my second domain controller in,

I add the domain servers in to the forwarders list on, in order to resolve the names of my conditional forwarders.

I can now verify that name resolution works on the conditional forwarder

Next, I log into one of my domain controllers in, and add a conditional forwarder to, using this powershell command:

Add-DnsServerConditionalForwarderZone -Name -MasterServers

In DNS Manager my new forwarder is now present

I open properties on the new forwarder and select «Store this conditional forwarder in Active Directory, and replicate it», in order to replicate this dns forwarder to my other dns server in the domain.

Verify connectivity between domain controllers

Now that I have my DNS Conditional forwarders in place and name, I will do a quick check of name resolution before I proceed.



As the name resolution is now working between the two domains, I can now proceed with establishing the trust.

Establish trust

To create the trust, I log into, and start the Active Directory Domains and Trust MMC. I right click and open Properties

From the Trust tab, I click “New Trust…”

The New Trust Wizard launches, Next

I enter the DNS-name of my existing domain/forest,, Next

For this lab setup, I choose Forest Trust, Next

This will be a Two-way Trust, Next

I will create both sides of the Trust, Next

To be able to create the trust in, I enter credentials for a domain administrator in the AD-domain.





I choose to confirm the outgoing trust, Next

I choose to confirm the incoming trust, Next


My trust is now created and validated. I restart my domain controllers, probable not necessary, but a quick way to refresh active directory. As I have two domain controllers in, this won’t cause any downtime.

Recommended reading: Russell Smith’s excellent post on Configure DNS to Enable a Trust Between Two Active Directory Forests

Microsoft Tips & Tricks section

Disclaimer: Every tips/tricks/posting I have published here, is tried and tested in different it-solutions. It is not guaranteed to work everywhere, but is meant as a tip for other users out there. Remember, Google is your friend and don’t be afraid to steal with pride! Feel free to comment below as needed.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: