Walkthroughs

  • Article

Applies To: Windows Server 2003 with SP1

The following sections provided the detailed implementation steps that you can use to set up federated forests.

Walkthrough Setup

The structure of the forests that are described in this walkthrough are detailed in the following figure.

Art Image

Figure 9: Walkthrough Infrastructure

Each domain has one domain controller and the names of the domain controllers are CORP-DC-01, NW-DC-01, and MARKETING-DC-01. Both the CORP-DC-01 and NW-DC-01 domain controllers host the Active Directory-integrated DNS server for their respective forests.

Creating a Forest Trust

Before you begin this process, ensure that all of the domain controllers are running Windows Server 2003. To create a forest trust, use the methods in this section to perform the following tasks:

  • Prepare both forests for the trust

    • Configure DNS

    • Raise the forest and all of the domains to the Windows Server 2003 functional level

  • Create the forest trust on contoso.com

  • Create the forest trust on nwtrader.com

Configure DNS

This section provides the steps that you can use to configure DNS for a forest trust.

Scenario

The administrators for both the Northwind Traders and Contoso corporations want to establish network connectivity between the two forests by configuring DNS. The Active Directory-integrated DNS zones for each forest are located in the respective root domains.

To configure DNS:

  1. Log on to the corp.contoso.com domain with administrative privileges.

  2. Configure DNS:

    • Click Start, point to All Programs, point to Administrative Tools, and then click DNS.

    • Right-click CORP-DC-01 and then click Properties.

    • Click New on the Forwarders tab, type nwtraders.com, and then click OK.

    • Type the IP address of the Northwind Traders DNS server (for example, type 10.1.1.2), and then click Add.

  3. Verify connectivity:

    • Click Start, click Run, type cmd in the Open box, and then press ENTER.

    • Type ping nwtraders.com at a command prompt, and then press ENTER.

    • You receive a reply.

Raise All of the Domains and Forests to the Windows Server 2003 Functional Level

This section describes how to raise the forest functional level to Windows Server 2003, which is required for forest trust to be established. To do this, you must first raise the domain functional level for each domain that is in the forest to the Windows Server 2003 functional level. After you raise all of the domains in the forest to the Windows Server 2003 functional level, you can raise the forest to the Windows Server 2003 functional level.

Scenario

The administrators for the Northwind Traders and Contoso corporations want to raise their forests to the Windows Server 2003 functional level to establish a forest trust.

To raise all of the domains and the forest to the Windows Server 2003 functional level:

On the domain controller in the corp.contoso.com domain:

  1. Set the corp.contoso.com domain functional level to Windows Server 2003 by using the Active Directory Domains and Trusts MMC Snap-in:

    • Log on to the corp.contoso.com domain with administrative privileges.

    • Click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Domains and Trusts.

    • Right-click corp.contoso.com and then click Raise Domain Functional Level.

    • In the Select an available domain functionality list, click Windows Server 2003, click Raise, click OK, and then click OK.

  2. Set the forest functional level to Windows Server 2003 by using the Active Directory Domains and Trusts MMC Snap-in:

    • Log on to the corp.contoso.com domain with administrative privileges.

    • Click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Domains and Trusts.

    • Right-click marketing.contoso.com.

    • Click Raise Domain Functional Level.

    • In the Select an available domain functionality list, click Windows Server 2003, click Raise, click OK, and then click OK.

  3. Set the forest functional level to Windows Server 2003 by using the Active Directory Domains and Trusts MMC Snap-in:

    • Log on to the corp.contoso.com domain with administrative privileges.

    • Click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Domains and Trusts.

    • Right-click Active Directory Domains and Trusts and then click Raise Forest Functional Level.

    • In the Select an available domain functionality list, click Windows Server 2003, click Raise, click OK, and then click OK.

On a domain controller in the nwtraders.com domain:

  1. Set the nwtraders.com domain functional level to Windows Server 2003 by using the Active Directory Domains and Trusts MMC Snap-in:

    • Log on to the nwtraders.com domain with administrative privileges.

    • Click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Domains and Trusts.

    • Right-click Nwtraders.com and then click Raise Domain Functional Level.

    • In the Select an available domain functionality list, click Windows Server 2003, click Raise, click OK, and then click OK.

  2. Set the forest functional level to Windows Server 2003 by using the Active Directory Domains and Trusts MMC Snap-in:

    • Click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Domains and Trusts.

    • Right-click Active Directory Domains and Trusts and then click Raise Forest Functional Level.

    • In the Select an available domain functionality list, click Windows Server 2003, click Raise, click OK, and then click OK.

Implementing Trusts Across Forests

This section describes how to implement forest trusts.

Enabling Authentication and Authorization Across the Forest

The administrators for both the Northwind Traders and Contoso corporations want to enable authentication and authorization across both forests. Both of the companies want users in their forest to be able to seamlessly gain access to resources in the other forest, without having to type a new user name and password. Because of this, the companies must establish a two-way trust across the forest.

To enable authentication and authorization across the forest:

  • Verify connectivity to the Nwtraders.com domain:

    • Log on to the corp.contoso.com domain.

    • Click Start, click Run, type cmd in the Open box, and then press ENTER.

    • Type ping nwtraders.com at a command prompt, and then press ENTER.

    • You receive a reply.

  • Create the forest trust:

    • Click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Domains and Trusts.

    • Right-click corp.contoso.com and then click Properties.

    • Click the Trusts tab, click New Trust, and then click Next in the Trust Creation Wizard.

    • In the Name box, type the name of the forest to which you want to configure the trust (in this sample scenario, type nwtraders.com), and then click Next.

    • Click Forest Trust, and then click Next. If Forest Trust is not an option, verify that you raised the forest functional level to Windows Server 2003 by reviewing the steps in the previous section.

    • Click Two Way, and then click Next.

    • Click both the This Domain domain and the Specified Domain domain, and then click Next.

    • In the credentials dialog box for the nwtraders.com domain, type both the user name (administrator) and password (nwtraders), and then click Next.

      Note that you must have trust-creation privileges in the domain to create the trust.

    • Click Allow authentication for all resources in the local forest, and then click Next.

    • Click Allow authentication for all resources in the Nwtraders.com forest, and then click Next.

      Note that the Selective Authentication option for both sides of the trust is disabled when you do this. You will enable the Selective Authentication option in the next section.

    • Review the changes that are listed, and then click Next to approve the changes.

    • Click Yes, confirm outgoing trust, and then click Next.

    • Click Yes, confirm outgoing trust, and then click Next.

    • When the dialog box that lists the name suffixes that you want to route is displayed, do not make any changes. Click Next, click Finish, and then click OK.

  • Create a file share in the Marketing.contoso.com domain, and then assign permissions to the share:

    • On the Marketing-DC-01 server, create a folder named Marketingshare, create a Sampletext.txt file with some text by using a text editor (such as Notepad), and then save the Sampletext.txt file in the C:\Marketingshare folder.

    • Right-click the MarketingShare folder and then click Sharing and Security.

    • Click Share this folder, and then click Permissions.

    • Click Add in the Group or user names box, type administrator@nwtraders.com, and then click OK.

    • Click administrator@nwtraders.com in the Group or user names box, and then click to select all of the check boxes in both the Change and Read boxes.

    • Click Everyone in the Group or user names box, and then click Remove.

      Note that you cannot grant permissions by adding the user directly to the DACL file share when you use this procedure; however, you can create a domain local group to grant permission to the share and add the remote forest groups to this domain local group. You will directly add the users to the DACL in this section. More information about group membership rules is provided in the following section.

  • Verify that you can gain access to the Marketing-DC-01 domain and the SampleText.txt file that you created:

    • Log on to the NW-DC-01 server with administrative privileges.

    • Click Start, click Run, type \\Marketing-DC-01\Marketingshare in the Open box, and then press ENTER.

    • Double-click the Sampletext.txt file to confirm that you can open and read the file. If you cannot open the file, verify that the permissions are properly assigned.

    • Create a Sampletext2.txt file in a text editor, such as Notepad, and then save the file to the \\Marketing-DC-01\Marketingshare folder to verify that you can save a file to the share.

Adding an Alternate Name Suffix

The administrators for the contoso.com forest want to add an alternate name suffix that corresponds to the users e-mail names. This allows the users to log on to the network with their e-mail names, such as user@e-mail.contoso.com. The suffix must be recognized in the other forest for the users to be able to use it.

Use the following steps to add an alternate name suffix, to add the name suffix to the user's UPN name, and then to enable routing to the alternate name suffix:

  • Add an alternate name suffix to the corp.contoso.com domain:

    • Click Start, point to All Programs, and then click Administrative Tools.

    • Right-click Active Directory Domains and Trusts and then click Properties.

    • Type e-mail.contoso.com in the Alternative UPN suffixes box, and then click Add.

  • Add the alternate name suffix to a users UPN in the corp.contoso.com domain:

    • Create a user with a testuser user login name in the corp.contoso.com domain. For more information about how to do this, see the Windows 2000 Server home page (https://go.microsoft.com/fwlink/?LinkId=145492).

    • In the Active Directory Users and Computers tool, right-click testuser, and then click Properties.

    • Click the Account tab, type testuser in User logon name box, and then click e-mail.contoso.com in the Domain box.

  • Enable routing to the alternate name suffix in the nwtraders domain:

    • Log on to the nwtraders.com domain with administrative privileges.

    • Click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Domains and Trusts.

    • Right-click nwtraders.com in the left pane, and then click Properties.

    • Click the Trusts tab, click corp.contoso.com in the Domains trusted by this domain (outgoing trusts) box, and then click Properties.

    • Click the Name Suffix Routing tab, click *.e-mail.contoso.com in the Name Suffixes box that is in the corp.contoso.com forest.

    • Click Enable, click OK, and then click OK.

Excluding a Domain from a Trust Relationship

The administrators for the nwtraders.com forest no longer want a trust relationship with the marketing.contoso.com subdomain, so the administrators want to exclude that domain from the trust relationship.

To exclude a domain from a trust relationship:

  • Create a file share in the nwtraders.com domain:

    • Log on to the nwtraders.com domain with administrative privileges.

    • Click Start, point to All Programs, point to Accessories, and then click Windows Explorer.

    • Click the %SystemRoot% folder (the folder where Windows is installed) in the left pane, right-click an empty space in the right pane, point to New, click Folder, and then type nwshare for the folder name.

    • Right-click the Nwshare folder that you created in the right pane, and then click Sharing and Security.

    • Click Share this folder, click Permissions, and then click Add.

    • Type administrator@marketing.contoso.com in the Enter the object names to select box, and then click OK.

    • Click Administrator@marketing.contoso.com in the Group or user names box, click Change in the Allow column in the Permissions for Administrator@marketing.contoso.com box, click Read in the Allow column in the Permissions for Administrator@marketing.contoso.com box, and then click OK.

    • Click Everyone in the Group or user names box, click Remove, and then click OK.

    • Confirm that you can gain access the Nwshare folder from the marketing.contoso.com share while you are logged on to the computer with administrative privileges. To do this, Click Start, click Run, type \\NW-DC-01\Nwshare in the Open box, and then press ENTER.

  • Disable the DomainInfo record for marketing.contoso.com in the nwtraders.com domain:

    • Log on to the nwtraders.com domain with administrative privileges.

    • Click Start, point to All Programs, point to Administrator Tools, and then click Active Directory Domains and Trusts.

    • Right-click nwtraders.com in the left pane, and then click Properties.

    • Click the Trusts tab, click corp.contoso.com in the Domains trusted by this domain (outgoing trusts) box, and then click Properties.

    • Click the Name Suffix Routing tab, click marketing.contoso.com, and then click Disable.

Setting Up a TopLevelName Exclusion Record

The administrators for the contoso.com forest want to set up a trust relationship with the nwtraders.com forest for all of the namespaces that are in nwtraders.com, except for plant.nwtraders.com. Note that the plant.nwtraders.com forest is a hypothetical forest that is not used in this sample scenario because it is in a different location and because the administrators for the contoso.com forest want to set up a trust relationship with it.

To set up a TopLevelName exclusion record:

  • Log on to the corp.contoso.com domain controller with administrative privileges.

  • Click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Domains and Trusts.

  • Right-click corp.contoso.com in the left pane, and then click Properties.

  • Click the Trust tab, right-click Nwtraders.com in the Domains trusted by this domain (outgoing trusts) box, and then click Properties.

  • Click the Name Suffixes to exclude from routing to nwtraders.com tab, click Add, type *.plant.nwtraders.com, click OK, and then click OK.

The Selective Authentication Option

The administrators for the Contoso company have decided that they cannot allow every user in the Northwind Traders forest to authenticate in their forest because of security constraints. The Contoso company administrators want to allow only members of the Enterprise Admins group from the other forest to be able to authenticate, but only to the marketing.contoso.com domain.

To enable the Selective Authentication option:

  • Turn on the Selective Authentication option in corp.contoso.com to enable only selective authentication from nwtraders.com

    • Confirm that you are logged on to the corp.contoso.com domain with administrative privileges.

    • Click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Domains and Trusts.

    • Right-click corp.contoso.com in the left pane, and then click Properties.

    • Click the Trusts tab, right-click Nwtraders.com in the Domains trusted by this domain (outgoing trusts) box, and then click Properties.

    • Click the Authentication tab, click Allow authentication only to selected resources in the local forest, click OK, and then click OK.

  • Create a file share in the marketing.contoso.com domain, and then assign permissions to the share:

    • On the Marketing-DC-01 computer, click Start, point to All Programs, point to Accessories, and then click Windows Explorer.

    • Click Local Disk (C:) in the left pane, right-click a blank area in the right pane, point to New, click Folder, and then type Testfolder for the name of the new folder.

    • Double-click the new Testfolder folder in the right pane to open the folder, right-click a blank area, point to New, click Text Document, and then type Testdoc.txt for the name of the document.

    • Right-click the Testfolder folder in the left pane, and then click Sharing and Security.

    • Click Share this folder, click Permissions, click Add, and then type administrator@nwtraders.com.

    • Click Administrator@nwtraders.com in the Group or user names box, click Change in the Allow column in the Permissions for Administrator@ nwtraders.com box, click Read in the Allow column in the Permissions for Administrator@ nwtraders.com box, and then click OK.

    • Click Everyone in the Group or user names box, and then click Remove.

  • Verify that you cannot gain access to Marketing.contoso.com from Nwtraders.com:

    • Log on to the NW-DC-01 computer with administrative privileges.

    • Click Start, click Run, type \\marketing-dc-01\marketingshare in the Open box, and then press ENTER.

      You should not be able to gain access to the share because you enabled the Selective Authentication option. If you can gain access to the share, verify that the permissions are properly configured.

  • Enable the Selective Authentication for Marketing-DC-01:

    • Log on to the marketing.contoso.com computer with administrative privileges.

    • Click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Users and Computers.

    • Click Advanced Features on the View menu, and then click Domain Controllers in the left pane.

    • Right-click MARKETING-DC-01 in the right pane, and then click Properties.

    • Click the Security tab, click Add, type administrator@nwtraders.com, and then click OK.

    • Click Administrator@nwtraders.com in the Group or user names box, and then click to select the Allowed to Authenticate check box in the Allow column that is in the Permissions for Administrator@nwtraders.com box.

      After you do this, the administrator@nwtraders.com user can authenticate to the NW-DC-01 computer.

  • Verify that you can gain access to marketing.contoso.com from nwtraders.com:

    • Log on to the NW-DC-01 computer with administrative privileges.

    • Click Start, click Run, type \\marketing-dc-01\marketingshare in the Open box, and then press ENTER.

      You can now gain access to the share.

Configuring ISA Server 2000 to Enable Forest Trust Across Firewalls

This section describes how to configure Microsoft Internet Security and Acceleration (ISA) Server 2000 to enable trust and authentication across the firewall.

Setting Up the Trust

It is recommended that you set up the trust for both forests from the internal computer because this method requires connections from only the internal network of the firewall to the outside when you set up the trust. To do this, start the ISA Server Firewall client to allow traffic from the internal domain controller to the external domain controller on both the LDAP (389 UDP and TCP) and Microsoft SMB (445 TCP) ports. You need to do this only to set up the forest trusts, so you can close the ISA Server Firewall client after you set up the trust relationship. You also need to add another rule to allow Kerberos (88 UDP) traffic. You must keep this rule so that authentication requests can pass through the firewall. To use this procedure on the ISA Server SP1 Firewall client:

  1. Click Start, point to All Programs, point to Microsoft ISA Server, and then click ISA Management.

  2. In the console pane, click to expand Servers and Arrays, click to expand your server, click to expand Access Policy, click Protocol Rules, and then, in the results pane, click Create a Protocol Rule.

  3. Type a name for the rules, such as allow xforest setup, and then click Next.

  4. Click Allow, and then click Next.

  5. In the Apply this rule to list box, click Selected protocols, click to clear the Show only selected protocols check box, click to select the Kerberos-Sec(UDP) check box, and then click to select the LDAP check box, and then click Next.

  6. In the Use this schedule box, click Always, and then click Next.

  7. In the Apply this rule to requests from box, click Any request, click Next, and then click Finish.

  8. Create protocol definitions for both Microsoft-DS and LDAP UDP, which are not defined by default:

    • After you create the new rule in step 1 through step 7, double-click the rule in the results pane, click the Protocol tab, and then click New.

    • In the Properties dialog box for the rule, type a name for your rules, such as LDAP UDP.

    • In the Port number box, type 389.

    • In the Protocol type box, click UDP.

    • In the Direction box, click Receive Send, and then click OK.

  9. Add a protocol definition for Microsoft-DS:

    • In the results pane, double-click the rule that you created in step 1 through step 7, click the Protocol tab, and then click New.

    • Type a name for your rules, such as microsoft-ds outbound.

    • In the Port number box, type 445.

    • In the Protocol type box, click TCP.

    • In the Direction box, click Outbound, click OK, and then click OK.

  10. After you create the rule, restart the firewall service to start the rule:

    • In the ISA Management Console, click to expand Servers and Arrays, click your server, and then click Monitoring, and then click Services.

    • In the results pane, click the Firewall service, click Stop a Service, and then click Yes.

    • In the results pane, click the Firewall service, click Start a Service, and then click Yes.

  11. Set up the trust across the forest from the internal computer by following the steps that are in the "Implementing Trusts Across Forests" section earlier in this document.

  12. Remove the trust setup rules because you no longer need them.

  13. In the console tree, click to expand Servers and Arrays, click your server, click Access policy, and then click Protocol rules.

  14. Double-click Allow xforest setup, and then click to clear the Enable check box.

  15. Use the procedure in step 8 to restart the firewall service so that the rule is removed.

Trust Validation and Network Logons

If you want trust validation and network logons to shares on the external computer, you must open up certain ports. In protocol rules, you must open the LDAP UDP, Kerberos sec UDP, Any RPC server, DCE endpoint resolution outbound, and Microsoft-DS outbound ports. In addition, you must also publish both the LDAP UDP and Any RPC server ports on the internal forest domain controller. To do this:

  1. Click Start, point to All Programs, point to Microsoft ISA Server, and then click ISA Management.

  2. In the console tree, click to expand Servers and Arrays, click to expand your server, click to expand Access policy, and then click Protocol rules.

  3. Click Create a Protocol Rule.

  4. Type a name for the rules (such as allow xforest validation), click Next, click Allow, and then click Next.

  5. In the Apply this rule to list, click Selected protocols, and then click to clear the Show only selected protocols check box.

  6. Click to select all of the following check boxes:

    • Any RPC server

    • Kerberos-Sec(UDP)

    • LDAP UDP

    • MS-DS outbound

  7. Confirm that the check boxes for the four definitions that you created (DCE Endpoint resolution, LDAP TCP inbound, LDAP UDP inbound, and Kerberos UDP inbound) are selected, confirm that the remaining check boxes are cleared, and then click Next.

  8. Choose a schedule for your rule, and then click Next.

  9. Choose to either make this rule applicable to only a specific client set or applicable to all of the clients, click Next, and then click Finish.

  10. The protocol definitions for DCE endpoint resolution, LDAP TCP inbound, LDAP UDP inbound, and Kerberos UDP inbound are not available by default, so you must create them. Note that both LDAP UDP inbound and Kerberos UDP inbound are used only in the next section. To create the protocol definitions:

    • Add a protocol definition for DCE Endpoint resolution:

      In the results pane, double-click the rule, click the Protocol tab, and then click New.

      Type a name for your rules, such as dce endpoint resolution outbound.

      In the Port number box, type 135.

      In the Protocol type box, click TCP.

      In the Direction box, click Outbound, and then click OK.

    • Add a protocol definition for LDAP TCP inbound:

      In the results pane, double-click the rule, click the Protocol tab, and then click New.

      Type a name for your rules, such as LDAP TCP inbound.

      In the Port number box, type 389.

      In the Protocol type box, click TCP

      In the Direction box, click Inbound, and then click OK.

    • Add a protocol definition for LDAP UDP inbound:

      In the results pane, double-click the rule, click the Protocol tab, and then click New.

      Type a name for your rules, such as LDAP UDP inbound.

      In the Port number box, type 389

      In the Protocol type box, click UDP.

      In the Direction box, click Receive Send, and then click OK.

    • Add a protocol definition for Kerberos UDP inbound:

      In the results pane, double-click the rule, click the Protocol tab, and then click New.

      Type a name for your rules, such as kerberos UDP inbound.

      In the Port number box, type 88

      In the Protocol type box, click UDP.

      In the Direction box, click Receive Send, and then click OK.

  11. Publish the ports for the inbound connection:

    • In the console tree, click to expand Publishing, and then click Server Publishing Rules.

    • Click Publish a Server, type a name for the server (such as LDAP UDP), and then click Next.

    • Type the IP address for the server that you want to publish, type the IP address for the external interface through which the external server will contact the internal server, and then click Next.

    • Click the appropriate protocol (such as LDAP UDP inbound), and then click Next.

    • Click Specific computers, and then click Next.

    • Click Add, add a client set for the IP address for the external server, and then click OK.

    • Click the client set, click OK, click Next, and then click Finish.

      Repeat above steps to publish the server for the "Any RPC server" rule.

Object Picker: Allowing a Service Administrator to Set Up DACLs

For Object Picker to work, you must publish Any RPC server, LDAP UDP inbound, LDAP TCP inbound, and Kerberos UDP inbound. When you do this, you can look up and add objects in the internal forest to DACLs that are in the external forest.

Separately Setting Up the Trust in the Forests

This method is not recommended and is only advisable if you cannot create the trust in both forests from the internal server. This involves publishing ports on the internal domain controller to allow the forest to make connections to it. You can create the trust on the forest that is on the internal side of the firewall by using the procedures that are in the previous section (set up the trust in both forests). To create the trust on the forest on the external side of the firewall, publish the following ports on the internal server domain controllers:

  • Microsoft-DS (port 445)

  • LDAP TCP (port 389)

  • LDAP UDP (port 389)

  • Kerberos-sec UDP (port 88)

  • You can publish a server for each of these ports if you use the steps that are in the previous section.

Note that because the local Direct Host SMB service uses port 445 on the firewall by default, you must disable the service first. To do this, either set or create the registry key DWORD value to zero (0) in the following registry key, and then restart the computer:

HKEY_LOCAL_MACHINE\SYSTEM\CCS\Services\NetBT\Parameters\SMBDeviceEnabled

After you do this, the ISA Server firewall client can bind to port 445 and forward packets to the internal server.

Error Messages

You may receive the following error messages when you try to set up trusts across firewalls:

  • Specified domain is not a Windows domain name.

    You may receive this error message if one domain controller cannot locate the other domain controller. DNS is not properly set up.

  • Parameter is invalid.

    The LDAP UDP port is not open.

  • Access Denied.

    The Kerberos port is not open, or the remote password is incorrect.

  • RPC server unavailable.

    The Microsoft-DS port is not open.

  • Cannot query the forest functionality level. The forest is not operational.

    The LDAP TCP port is not open.

  • The Endpointmapper does not have any more end points.

    Either the NTDS or Netlogon port is not open.

    The Kerberos port is not open or the remote password is incorrect.

  • Unspecified error.

    Verify that the Endpointmapper port is open.

Removing the Forest Trust

The administrators for the Contoso company no longer need the trust across the forest.

In this scenario, you will remove the forest trusts. To remove the forest trusts:

  1. Log on to the corp.contoso.com domain with administrative privileges.

  2. Click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Domains and Trusts.

  3. Right-click corp.contoso.com in the left pane, and then click Properties.

  4. Click the Trusts tab, right-click nwtraders.com in the Domains trusted by this domain (outgoing trusts) box, and then click Remove.

  5. Click Yes, remove the trust from the local domain and the other domain.

  6. Type Administrator in the User name box, and then type the password in the Password box.

  7. Click Yes, and then choose the option to remove the trust.

Repeat step 4 through step 7 to remove the incoming trust in the Domains that trust this domain (incoming trusts) box.