2.16 Creating a Transitive Trust Between Two AD Forests
You want to create a transitive trust between two AD forests. This causes the domains in both forests to trust each other without the need for additional trusts.
18.104.22.168 Using a graphical user interface
22.214.171.124 Using a command-line interface> netdom trust <Forest1DNSName> /Domain:<Forest2DNSName> /Twoway /Transitive /ADD[RETURN] [/UserD:<Forest2AdminUser> /PasswordD:*][RETURN] [/UserO:<Forest1AdminUser> /PasswordO:*]
For example, to create a two-way forest trust from the AD forest rallencorp.com to the AD forest othercorp.com, use the following command:> netdom trust rallencorp.com /Domain:othercorp.com /Twoway /Transitive /ADD[RETURN] /UserD:email@example.com /PasswordD:*[RETURN] /UserO:firstname.lastname@example.org /PasswordO:*
A new type of trust called a forest trust was introduced in Windows Server 2003. Under Windows 2000, if you wanted to create a fully trusted environment between two forests, you would have to set up individual external two-way trusts between every domain in both forests. If you have two forests with three domains each and wanted to set up a fully trusted model, you would need nine individual trusts. Figure 2-4 illustrates how this would look.
Figure 2-4. Trusts necessary for two Windows 2000 forests to trust each other
With a forest trust, you can define a single one-way or two-way transitive trust relationship that extends to all the domains in both forests. You may want to implement a forest trust if you merge or acquire a company and you want all of the new company's Active Directory resources to be accessible for users in your Active Directory environment and vice versa. Figure 2-5 shows a forest trust scenario. To create a forest trust, you need to use accounts from the Enterprise Admins group in each forest.
Figure 2-5. Trust necessary for two Windows Server 2003 forests to trust each other