Two Way Active Directory Cross Domain Trust How-To

As I’ve been doing this on more and more servers, so I thought it would be best to document the process.

DNS Setup

  1. Open the DNS manager on the first server
  2. Expand the Forward Lookup Zones, right click on the primary zone (e.g. domain1.local) and click properties.
  3. Go to the zone transfers section and configure the server to allow zone transfers either all servers (unsecure) or type the IP of the second server and allow access to that server.
  4. Expand the Reverse Lookup Zones, right click on the primary zone (e.g. 10.10.10.in-addr.arpa) and click properties.
  5. Go to the zone transfers section and configure the server to allow zone transfers either all servers (unsecure) or type the IP of the second server and allow access to that server.
  6. Open the DNS manager on the second server.
  7. Expand the Forward Lookup Zones, right click on the primary zone (e.g. domain2.local) and click properties.
  8. Go to the zone transfers section and configure the server to allow zone transfers either all servers (unsecure) or type the IP of the second server and allow access to that server.
  9. Expand the Reverse Lookup Zones, right click on the primary zone (e.g. 11.11.11.in-addr.arpa) and click properties.
  10. Go to the zone transfers section and configure the server to allow zone transfers either all servers (unsecure) or type the IP of the second server and allow access to that server.
  11. On the first server, create a secondary zone in the Forward Lookup Zones naming it after the domain on the second server (e.g. domain2.local).
  12. When asked, set the master server as the IP of the second server.
  13. In the Reverse Lookup Zone, create a secondary zone named after the primary zone of the second server (e.g. 11.11.11.in-addr.arpa).
  14. When asked, set the master server as the IP of the second server.
  15. On the second server, create a secondary zone in the Forward Lookup Zones naming it after the domain on the first server (e.g. domain1.local).
  16. When asked, set the master server as the IP of the first server.
  17. In the Reverse Lookup Zone, create a secondary zone named after the primary zone of the first server (e.g. 10.10.10.in-addr.arpa).
  18. When asked, set the master server as the IP of the first server.
  19. DNS should now be replicated across both domains. You can test it by pinging a FQDN computer name, (e.g. ping server.domain1.local). If you receive a response then it’s working correctly.

Two Way Trust Set Up

  1. On the first server, open Active Directory Domains and Trusts from the Administrative Tools area in Control Panel.
  2. Right click on the domain name and click Properties.
  3. Navigate to the Trusts tab and click New Trust at the bottom.
  4. The Trust wizard will appear, press next and type in the FQDN address of the second server (e.g. server.domain2.local) and press next.
  5. Choose Realm Trust and press Next.
  6. For Trust Transitivity choose Nontransitive.
  7. For the direction choose Two-way and press Next.
  8. Type a password for the trust twice and press Next and Next again on the next tab.
  9. Press Finish.
  10. On the second server, open Active Directory Domains and Trusts from the Administrative Tools area in Control Panel.
  11. Right click on the domain name and click Properties.
  12. Navigate to the Trusts tab and click New Trust at the bottom.
  13. The Trust wizard will appear, press next and type in the FQDN address of the first server (e.g. server.domain1.local) and press next.
  14. Choose Realm Trust and press Next.
  15. For Trust Transitivity choose Nontransitive.
  16. For the direction choose Two-way and press Next.
  17. Type a password for the trust twice (not sure if this needs to be the same as the password on the other server, I usually set it the same) and press Next and Next again on the next tab.
  18. Press Finish.
  19. All done, you now have a two way trust set up!
  20. Enjoy

16 Comments

    • You’ll need to create a Primary Reverse Lookup Zone. You can create one by right clicking on the Reverse Lookup Zone and pressing New Zone. Press Next, choose Primary Zone, press Next, choose how you want it replicated; I’ve set mine to all servers in the Forest, the top option. Press Next, choose IPv4, press Next, type in the first three octets of the IP address range you’re using; e.g. 10.4.211.1-254 would be 10.4.211, if your subnet is more than 254 addresses then just type in the first 2 octets of the IP range; e.g. 10.4.211-214.1-254 would be 10.4. Press Next, choose allow secure dynamic updates, the top option and press Next, press Finish, done.

      Hope that helps.
      Ed

  • Great tutorial, thanks a bunch!

    Only one correction, on step 10, on “Two Way Trust Set Up” i think it should be change to “One the second server” as the job is already done on the first server regarding those steps.

      • No, when iam trying to login with other domain user it is saying username or password is in correct.

        • Hmm, the only time I’ve seen that happen is when the username or password is actually wrong. Are you 100% certain it is correct?

          • Ya it is correct.
            Can you help in where we will use the trust passwords which we have given during the configuration.

          • Did you set the same password for each side or a different one? I’d maybe try and start the process again to see if that helps.

  • Hi Ed

    Thank you for your time spent in writing this “How-To”.
    I am very new to AD domain and trusts functionality so my question is:
    If I follow your guide and create a cross domain trust between 2 domains, say AD1 and AD2, would I be able to see both domains on a client PC?
    In other words when a user wants to log into a windows 7 machine will he/she be able to see and login to both domains?

    Many thanks

    • Hi Yanni,

      As far as I know you’d only be able to log in to one domain due to the fact you can only register to one domain on a Windows client. Although that shouldn’t matter once you’ve joined, as you’ll be able to use security permissions for the other domain to connect to trusted domain clients and open files and folders.

      Hope that helps,
      Ed

  • This is really good and clear. 1 question…i had to tear down a long running 2-way trust when an entity of ours changed / upgraded DC’s. I am rebuilding but before they were using Stub zones as we don’t really want the entire zone replicated to us. I can get this working on 1 of the 2 DC’s we have. Any ideas or suggestions? should I start from scratch and use secondary zones? Also we’re using 2008 R2 and the other end is 2012 R2.

Leave a Reply

Your email address will not be published. Required fields are marked *

css.php