Creating Forest Trusts
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
In a Windows Server 2003 forest, you can link two disjoined Windows Server 2003 forests together to form a one-way or two-way, transitive trust relationship. You can use a two-way, forest trust to form a transitive trust relationship between every domain in both forests.
For more information about forest trusts, see "How Domain and Forest Trusts Work" in the Windows Server 2003 Technical Reference on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=35356).
Task requirements
The following requirements, features, or settings are necessary to create forest trusts successfully:
You can create a forest trust only between two Windows Server 2003 forests; forest trusts cannot be extended implicitly to a third Windows Server 2003 forest.
To create a forest trust, you must set the forest functional level for both of the Windows Server 2003 forests that are involved in the trust relationship to Windows Server 2003. For more information about functional levels, see Active Directory Functional Levels Technical Reference on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=41698).
To create a forest trust successfully, you must set up your Domain Name System (DNS) environment properly. If there is a root DNS server that you can make the root DNS server for the DNS namespaces of both forests, make it the root server by ensuring that the root zone contains delegations for each of the DNS namespaces. Also, update the root hints of all DNS servers with the new root DNS server.
If there is no shared root DNS server and the root DNS servers for each forest DNS namespace are running a member of the Windows Server 2003 family, configure DNS conditional forwarders in each DNS namespace to route queries for names in the other namespace.
If there is no shared root DNS server and the root DNS servers for each forest DNS namespace are not running a member of the Windows Server 2003 family, configure DNS secondary zones in each DNS namespace to route queries for names in the other namespace. For more information about configuring DNS to work with Active Directory, see DNS Support for Active Directory Technical Reference on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=41699).
You can use either of the following tools to perform the procedures for this task:
Active Directory Domains and Trusts
Netdom.exe
For more information about how to use the Netdom command-line tool to create a forest trust, see "Netdom.exe: Windows Domain Manager" in the Windows Server 2003 Technical Reference on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=41700).
Note
If you have the appropriate administrative credentials for each forest, you can create both sides of a forest trust at the same time. To create both sides of the forest trust, follow the appropriate procedure below that contains the words “for both sides of the trust” in the title. For example, the procedure “Create a one-way, incoming, forest trust for both sides of the trust” explains how to configure both sides of the trust. For more information about how the “both sides of the trust” option works, see the section "Sides of Trust" in Appendix: New Trust Wizard Pages.
You can create a forest trust by using any one of the following procedures, depending on the requirements of your organization and the administrative credentials that you have when you create the trust: