Trust utilities allow an administrator to create and validate external trusts on NTLM blocked domains

Applies To: Windows Server 2008 R2

Symptoms

The Active Directory Domains and Trusts snap-ins DOMAIN.MSC and the NETDOM.EXE utility allow an administrator to create an external trust between domains even when NTLM blocking has been configured through security policy. NTLM blocking was introduced in Windows Server® 2008 R2 and Windows® 7to prevent the use of NTLM for authentication on a network and ensure the Kerberos protocol is used for security purposes. While both creation and validation of the trust will appear to work without errors. Both creation and validation of the trust will appear to work without errors. However, NTLM will still be blocked and the trust will not operate correctly.

Cause

DOMAIN.MSC and NETDOM.EXE do not use NTLM credentials when creating and validating trusts. They instead authenticate with the user's Kerberos credentials.

Resolution

Do not create external trusts when using NTLM blocking security policy settings. Alternatively, do not enable NTLM blocking settings in an environment that uses or plans to use external trusts.