Create a forest trust

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

To create a forest trust

  1. Open Active Directory Domains and Trusts.

  2. In the console tree, right-click the domain node for the forest root domain, and then click Properties.

  3. On the Trust tab, click New Trust, and then click Next.

  4. On the Trust Name page, type the DNS name (or NetBIOS name) of another forest, and then click Next.

  5. On the Trust Type page, click Forest trust, and then click Next.

  6. On the Direction of Trust page, do one of the following:

    • To create a two-way, forest trust, click Two-way.

      Users in this forest and users in the specified forest can access resources in either forest.

    • To create a one-way, incoming forest trust, click One-way:incoming.

      Users in the specified forest will not be able to access any resources in this forest.

    • To create a one-way, outgoing forest trust, click One-way:outgoing.

      Users in this forest will not be able to access any resources in the specified forest.

  7. Continue to follow the wizard.

Important

  • To successfully create a forest trust, your environment will need to be set up properly. For more information, see the checklist for creating a forest trust in Related Topics.

Notes

  • To perform this procedure, you must be a member of the Domain Admins group (in the forest root domain) or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure. For more information, see Default local groups, Default groups, and Using Run as.

  • If you are a member of the Incoming Forest Trust Builders group, you can create one-way, incoming forest trusts to this forest.

  • To open Active Directory Domains and Trusts, click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Domains and Trusts.

  • On a domain controller running Windows Server 2003, the forest root domain is the first domain listed in the console tree in Active Directory Domains and Trusts. This configuration is not provided on domain controllers running Windows 2000.

  • If you have the appropriate administrative credentials for each forest, you can create both sides of a forest trust at the same time by clicking Both this domain and the specified domain on the Sides of Trust page. For more information, see Related Topics.

  • If you want users from the specified forest to have access to all computers in the local forest, on the Outgoing Trust Properties page, click Forest-wide authentication. This option is preferred when both forests belong to the same organization.

  • If you want to selectively limit authentication to particular users and groups from the specified forest, on the Outgoing Trust Properties page, click Selective authentication. This option is preferred if the specified forest belongs to a separate organization.

  • In addition to creating new trusts, you can modify existing trusts by clicking the Trust tab.

  • The command-line tool Dsmod.exe does not support the addition of security principals in one forest to groups that are located in another forest when both forests are joined by a forest trust. You can use the Active Directory Users & Computers snap-in to add security principals across a forest trust.

Information about functional differences

  • Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. For more information, see Viewing Help on the Web.

See Also

Concepts

Checklist: Creating a forest trust
Forest trusts
When to create a forest trust
Routing name suffixes across forests
Accessing resources across forests
Trust types
Trust direction
Command-line reference A-Z