Enable forest-wide authentication over a forest trust

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

The forest-wide authentication setting permits unrestricted access by any users in the trusted forest to all available shared resources in any of the domains in the trusting forest. This is the default authentication setting for forest trusts, and it is representative of the way authentications were routed — without restriction — over Windows 2000 Server trusts. For more information about the forest-wide authentication setting, see "Security Considerations for Trusts" in the Windows Server 2003 Technical Reference on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=35413).

You can enable forest-wide authentication over a forest trust by using the New Trust Wizard in Active Directory Domains and Trusts or by using the Netdom command-line tool. For more information about how to use the Netdom command-line tool to configure selective authentication settings, see "Netdom.exe: Windows Domain Manager" in the Windows Server 2003 Technical Reference on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=41700).

Administrative credentials

To complete this procedure, you must be a member of the Domain Admins group or the Enterprise Admins group in Active Directory.

To enable forest-wide authentication over a forest trust

Using the Windows interface

1. Open Active Directory Domains and Trusts.

2. In the console tree, right-click the forest root domain, and then click Properties.

3. On the Trusts tab, under Domains trusted by this domain (outgoing trusts), click the forest trust that you want to administer, and then click Properties.

4. On the Authentication tab, click Forest-wide authentication, and then click OK.