Known Issues for Creating Domain and Forest Trusts

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2

Review the following known issues before creating domain and forest trusts in Windows Server 2003:

  • You cannot delegate the creation of trusts to any user who is not a member of the Domain Admins or Enterprise Admins groups. Even though you can grant a user the Create TDO (Trusted Domain Object) right or the Delete TDO right in the System container of a domain, the user will not be granted the right to create a trust. This issue occurs because Netlogon and the trust-creation tools (Active Directory Domains and Trusts and Netdom) are designed so that only members of the Domain Admins group and the Enterprise Admins group can create trusts. However, any user who is a member of the Incoming Forest Trust Builders group can create one-way, incoming forest trusts to your forest. For more information about the Incoming Forest Trust Builders group, see "How Domain and Forest Trusts Work" in the Windows Server 2003 Technical Reference on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=35356).

  • When you are logged on locally to a domain controller and you try to create a new trust by using Active Directory Domains and Trusts, the operation may be unsuccessful and you may receive the message “Access denied.” This issue occurs only if you are logged on locally to the domain controller as an ordinary user (meaning that the user is not logged on as Administrator or as a member of any administrative groups for the domain). By default, ordinary users are blocked from logging on locally to a domain controller unless Group Policy is modified to permit this.

  • When you use Active Directory Domains and Trusts to create a trust, you may receive the message “Operation failed. Parameter incorrect.” This issue may occur if you try to establish a trust relationship when the source domain and the target domain have one or more of the following identifiers that are the same:

    • Security identifier (SID)

    • Domain Name System (DNS) name

    • Network basic input/output system (NetBIOS) name

    To resolve this issue, rename all conflicting identifiers before you try to create the trust.

  • The option to create a forest trust does not appear in the New Trust Wizard. This issue typically occurs when one or both of the Windows Server 2003 forests are not set to the Windows Server 2003 forest functional level. For more information about forest functional levels, see Active Directory Functional Levels Technical Reference on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=41698).

  • There are restrictions in the number and types of trusts that can be created when you target a Microsoft Windows Small Business Server 2003 domain.