Create a Forest Trust

Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012

You can use the Active Directory Domains and Trusts snap-in to create trust relationships between domains.

Membership in Domain Admins or Enterprise Admins , or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at https://go.microsoft.com/fwlink/?LinkId=83477.

To create a forest trust

1. Open Active Directory Domains and Trusts. To open Active Directory Domains and Trusts, click Start , click Administrative Tools , and then click Active Directory Domains and Trusts .

   To open Active Directory Domains and Trusts in Windows Server® 2012, click Start , type domain.msc .

2. In the console tree, right-click the domain that you want to administer, and then click Properties .

3. On the Trusts tab, click New trust , and then click Next .

4. On the Trust Name page, type the Domain Name System (DNS) name (or NetBIOS name) of the domain, and then click Next .

5. On the Trust Type page, click Forest trust , and then click Next .

6. On the Direction of Trust page, do one of the following:

   • To create a two-way, forest trust, click Two-way .

     Users in this forest and users in the specified forest will be able to access resources in either forest.

   • To create a one-way, incoming forest trust, click One-way:incoming .

     Users in the specified forest will not be able to access any resources in this forest.

   • To create a one-way, outgoing forest trust, click One-way:outgoing .

     Users in this forest will not be able to access any resources in the specified forest.

7. Continue to follow the instructions in the wizard.

Additional considerations

• To perform this procedure, you must be a member of the Domain Admins group or Enterprise Admins group in Active Directory Domain Services (AD DS), or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure. For more information, search for "using run as" in Help and Support.

• If you have the appropriate administrative credentials for each forest, you can create both sides of a forest trust at the same time by clicking Both this domain and the specified domain on the Sides of Trust page.

• If you want users from the specified forest to have access to all computers in the local forest, on the Outgoing Trust Properties page, click Forest-wide authentication . This option is preferred when both forests belong to the same organization.

• If you want to selectively limit authentication to particular users and groups from the specified forest, on the Outgoing Trust Properties page, click Selective authentication . This option is preferred if the specified forest belongs to a separate organization.

• In addition to creating new trusts, you can modify existing trusts by clicking the Trust tab.

Additional references

• Administering Domain and Forest Trusts

• Managing Trusts

• Checklist: Create a Forest Trust