Create an external trust

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

To create an external trust

Open Active Directory Domains and Trusts.
In the console tree, right-click the domain node for the domain you want to establish a trust with, and then click Properties.
On the Trusts tab, click New Trust, and then click Next.
On the Trust Name page, type the DNS name (or NetBIOS name) of the domain, and then click Next.
On the Trust Type page, click External trust, and then click Next.
On the Direction of Trust page, do one of the following:
- To create a two-way, external trust, click Two-way.
  
  Users in this domain and users in the specified domain can access resources in either domain.
- To create a one-way, incoming external trust, click One-way:incoming.
  
  Users in the specified domain will not be able to access any resources in this domain.
- To create a one-way, outgoing external trust, click One-way:outgoing.
  
  Users in this domain will not be able to access any resources in the specified domain.
Continue to follow the wizard.

Notes

To perform this procedure, you must be a member of the Domain Admins group or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure. For more information, see Default local groups, Default groups, and Using Run as.
To open Active Directory Domains and Trusts, click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Domains and Trusts.
If you have the appropriate administrative credentials for each domain, you can create both sides of an external trust at the same time by clicking Both this domain and the specified domain on the Sides of Trust page. For more information, see Related Topics.
If you want to allow users from the specified domain to obtain access to all the resources in this domain, click Allow authentication for all resources in the local domain on the Outgoing Trust Properties page. This option should be used when both domains belong to the same organization.
If you want to restrict users in the specified domain from obtaining access to any of the resources in this domain, click Allow authentication only for selected resources in the local domain on the Outgoing Trust Properties page. This option should be used when each domain belongs to a separate organization.

Value	Description
TrustingDomainName	Specifies the DNS name (or NetBIOS name) of the trusting domain in the trust being created.
TrustedDomainName	Specifies the DNS name (or NetBIOS name) of the domain that will be trusted in the trust being created.

Notes

To perform this procedure, you must be a member of the Domain Admins group or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure. For more information, see Default local groups, Default groups, and Using Run as.
To open a command prompt, click Start, point to All programs, point to Accessories, and then click Command prompt.
This command-line method requires the Netdom Windows support tool. For information about installing Windows support tools, see Related Topics.
Other switches can be used to assign a password or determine the direction of the trust. For example, to make a two-way, transitive trust, you can use the following syntax:

netdom trustTrustingDomainName**/d:TrustedDomainName/add/twoway**
To view the complete syntax for this command, at a command prompt, type:

netdom trust | more

Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. For more information, see Viewing Help on the Web.