Enable Domain-Wide Authentication over an External Trust

Updated: January 9, 2009

Applies To: Windows Server 2008, Windows Server 2008 R2

The domain-wide authentication setting permits unrestricted access by any users in the trusted domain to all available shared resources in the trusting domain. This is the default authentication setting for external trusts, and it is representative of the way authentications were routed—without restriction—over Windows 2000 Server trusts. For more information about the domain-wide authentication setting, see Security Considerations for Trusts (http://go.microsoft.com/fwlink/?LinkID=111846).

You can use this procedure to enable domain-wide authentication over an external trust.

Membership in Domain Admins or Enterprise Admins in Active Directory Domain Services (AD DS), or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).

  1. Open Active Directory Domains and Trusts.

  2. In the console tree, right-click the domain that you want to administer, and then click Properties.

  3. On the Trusts tab, under either Domains trusted by this domain (outgoing trusts) or Domains that trust this domain (incoming trusts), click the external trust that you want to administer, and then click Properties.

  4. On the Authentication tab, click Domain-wide authentication, and then click OK.

Only the authentication settings for the outgoing trust appear when you click Properties and then click the Authentication tab in Active Directory Domains and Trusts. To view the correct authentication settings for the incoming side of a two-way, external trust, connect to a domain controller in the trusted domain and then use Active Directory Domains and Trusts to view the authentication settings for the outgoing side of the same trust.

Community Additions