Share via


Create a one-way, incoming, forest trust for one side of the trust

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

This procedure creates one side of a one-way, incoming, forest trust. Although one side of a trust will be created successfully, the new trust will not function until the administrator for the reciprocal forest uses his or her credentials to create the second side of the trust. If you have administrative credentials for both forests that are involved in the trust, you can use the procedure Create a one-way, incoming, forest trust for both sides of the trust to create both sides of the trust in one simultaneous operation.

A one-way, incoming, forest trust allows users in your Windows Server 2003 forest (the forest that you are logged on to at the time that you run the New Trust Wizard) to access resources in another Windows Server 2003 forest. For example, if you are the administrator of the wingtiptoys.com forest and users in that forest need to access resources in the tailspintoys.com forest, you can use this procedure to establish one side of the relationship so that users in your forest can access resources in any of the domains that make up the tailspintoys.com forest.

You can create this forest trust by using the New Trust Wizard in Active Directory Domains and Trusts or by using the Netdom command-line tool. For more information about how to use the Netdom command-line tool to create a forest trust, see "Netdom.exe: Windows Domain Manager" in the Windows Server 2003 Technical Reference on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=41700).

Administrative credentials

To perform this procedure, you must be a member of the Domain Admins group (in the forest root domain) or the Enterprise Admins group in Active Directory. If you are a member of the Incoming Forest Trust Builders group, you can create one-way, incoming, forest trusts to your forest. For more information about the Incoming Forest Trust Builders group, see "How Domain and Forest Trusts Work" in the Windows Server 2003 Technical Reference on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=35356).

To create a one-way, incoming, forest trust for one side of the trust

  1. Open Active Directory Domains and Trusts.

  2. In the console tree, right-click the domain node for the domain that you want to establish a trust with, and then click Properties.

  3. On the Trusts tab, click New Trust, and then click Next.

  4. On the Trust Name page, type the Domain Name System (DNS) name (or network basic input/output system (NetBIOS) name) of the domain, and then click Next.

  5. On the Trust Type page, click Forest trust, and then click Next.

  6. On the Direction of Trust page, click One-way: incoming, and then click Next.

    For more information about the selections that are available on the Direction of Trust page, see the section "Direction of Trust" in Appendix: New Trust Wizard Pages.

  7. On the Sides of Trust page, click This domain only, and then click Next.

    For more information about the selections that are available on the Sides of Trust page, see the section "Sides of Trust" in Appendix: New Trust Wizard Pages.

  8. On the Trust Password page, type the trust password twice, and then click Next.

  9. On the Trust Selections Complete page, review the results, and then click Next.

  10. On the Trust Creation Complete page, review the results, and then click Next.

  11. On the Confirm Incoming Trust page, do one of the following:

    • If you do not want to confirm this trust, click No, do not confirm the incoming trust.

    • If you want to confirm this trust, click Yes, confirm the incoming trust, and then supply the appropriate administrative credentials from the specified domain.

  12. On the Completing the New Trust Wizard page, click Finish.

Note

For this trust to function, the domain administrator for the specified domain (the forest root domain in the specified forest) must complete the procedure Create a one-way, outgoing, forest trust for one side of the trust, using their administrative credentials and the exact same trust passwordthat was used during this procedure.