Trust utilities allow an administrator to create and validate external trusts on NTLM blocked domains
Updated: May 10, 2010
Applies To: Windows Server 2008 R2
The Active Directory Domains and Trusts snap-ins DOMAIN.MSC and the NETDOM.EXE utility allow an administrator to create an external trust between domains even when NTLM blocking has been configured through security policy. NTLM blocking was introduced in Windows Server® 2008 R2 and Windows® 7to prevent the use of NTLM for authentication on a network and ensure the Kerberos protocol is used for security purposes. While both creation and validation of the trust will appear to work without errors. Both creation and validation of the trust will appear to work without errors. However, NTLM will still be blocked and the trust will not operate correctly.
DOMAIN.MSC and NETDOM.EXE do not use NTLM credentials when creating and validating trusts. They instead authenticate with the user's Kerberos credentials.
Do not create external trusts when using NTLM blocking security policy settings. Alternatively, do not enable NTLM blocking settings in an environment that uses or plans to use external trusts.