Creating External Trusts

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

You can create an external trust to form a one-way or two-way, nontransitive trust with domains that are outside your forest. External trusts are sometimes necessary when users need access to resources that are located in a Windows NT 4.0 domain or in a domain that is in a separate Active Directory forest that is not joined by a forest trust.

For example, if you have a Windows Server 2003–based domain whose users want to gain access to resources that are stored in a Windows NT–based domain, you must create a trust relationship in which the Windows NT–based domain trusts the users from the Windows Server 2003–based domain. In this case, the Windows NT–based domain is the trusting domain, and the Windows Server 2003–based domain is the trusted domain.

For more information about external trusts, see "How Domain and Forest Trusts Work" in the Windows Server 2003 Technical Reference on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=35356).

Note

Trusts that are created between Windows NT 4.0 domains and Active Directory domains are one-way and nontransitive, and they require network basic input/output system (NetBIOS) name resolution.

Task requirements

You can use either of the following tools to perform the procedures for this task:

  • Active Directory Domains and Trusts

  • Netdom.exe

For more information about how to use the Netdom command-line tool to create an external trust, see "Netdom.exe: Windows Domain Manager" in the Windows Server 2003 Technical Reference on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=41700).

Note

If you have the appropriate administrative credentials for each domain, you can create both sides of an external trust at the same time. To create both sides of the trust, simultaneously, follow the appropriate procedure below that contains the words “both sides of the trust” in the procedure title. For example, the procedure “Create a one-way, incoming, external trust for both sides of the trust” provides the steps to follow when you have the administrative credentials for both domains and you want to use the New Trust Wizard to create an incoming, external trust in one operation. For more information about how the “both sides of the trust” option works, see the section "Sides of Trust" in Appendix: New Trust Wizard Pages.

You can create an external trust by using any of the following procedures, depending on the requirements of your organization and the administrative credentials that you have when you create the trust: