none
setup of trust relationship between 2 domains RRS feed

  • Question

  • Hello, we have 2 domains each in their own location. There is a VPN connecting between both sites each domain with their own firewall, DNS and DHCP services. We would like to create a one-way trust relationship from Site A to Site B. After some research there are discrepancies in the steps required to create a trust relationship that we found. Does anyone have the correct steps required to create a trust relationship? Thank you 
    Friday, July 24, 2020 5:59 PM

All replies

  • As you did not say what you had tried, it is pretty hard to give a specific answer.  But using your favorite search engine to search for 'create one-way trust between domains' will give you many articles on how to accomplish it.  Read a couple to find one's that agree and follow those steps.

    Here are a couple TechNet articles

    http://technet.microsoft.com/en-us/library/cc780479(WS.10).aspx

    http://technet.microsoft.com/en-us/library/cc740018(WS.10).aspx


    tim

    Saturday, July 25, 2020 1:31 PM
  • Hello,
    Thank you for posting here.

    Before establishing forest/domain trust, we need to set up conditional forwarders OR secondary zone.

    We recommend that the domain controller is also a DNS server.
    We can set up conditional forwarders or secondary zone on the primary domain controller (DNS server) in both domains.

    For example, in my lab environment:

    Forest one: primary domain controller and DNS server, domain controller name: 2012R2, IP address 192.168.2.50, domain name: fabrikam.com.

    Forest two: primary domain controller and DNS server, domain controller name: 2019standard, IP address 192.168.3.50, domain name: a.com.

    Prerequisite:
    The domain name, FQDN and IP address can be pinged mutually.



    Create secondary zone:


    1. On the PDC of fabrikam.com, open the DNS server, right-click "Fabrikam.com" -> select "Properties" -> Zone Transfer -> Allow zone transfer to any server.

    2. By right-clicking on DNS-> "Forward Lookup Zone" -> Select "New Zone"-Secondary Zone -> a.com and IP address, the results are as follows:

    3. On the PDC of the a.com domain, right-click "a.com" -> select "Properties" -> Zone Transfer -> Allow zone transfer to any server.

    4. By right-clicking on "Forward Lookup Zone" in DNS->Select "New Zone"-Secondary Zone->fabrikam.com, the result is as follows:



    Set up conditional forwarders

    1. Open the DNS manager on the PDC of fabrikam.com, right-click "Conditional Forwarders"> "New Conditional Forwarders"> enter the other party's domain name and IP address.

    2. Open the DNS manager on the PDC of a.com, right-click "Conditional Forwarders"> "New Conditional Forwarders"> enter the other party's domain name and IP address.


    After we setting up conditional forwarder or secondary zone, we can refer to the link Tim provided to create forest/domain trust.


    This "Windows Server General Forum" Forum will be migrating to a new home on Microsoft Q&A, please refer to this sticky post for more details. 


    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    "Windows Server General Forum" forum will be migrating to a new home on Microsoft Q&A!

    We invite you to post new questions in the "Windows Server General Forum"  forum's new home on Microsoft Q&A!

    For more information, please refer to the sticky post.
    Monday, July 27, 2020 5:47 AM
    Moderator
  • Hi daisy, thank you for all this detail. This is terrific. I can only ping IP address and not hostname or FQDM. Do I need to setup the forwarders or secondary zone to make this work?

    Thanks you

    Tuesday, July 28, 2020 5:02 PM
  • Hi,

    Thank you for your update.

    Myabe we can not setup the forwarders or secondary zone if we can not ping domain name and FQDN. But we can try to setup the forwarders or secondary zone to see if it helps. 

    If we cannot setup the forwarders or secondary zone without ping domain name and FQDN, then we should fix the problem (ping domain name and FQDN) so that we can setup the forwarders or secondary zone.



    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.



    "Windows Server General Forum" forum will be migrating to a new home on Microsoft Q&A!

    We invite you to post new questions in the "Windows Server General Forum"  forum's new home on Microsoft Q&A!

    For more information, please refer to the sticky post.

    Wednesday, July 29, 2020 7:08 AM
    Moderator
  • Hi
    How are things going on your end? Please keep me posted on this issue. 
    If you have any further questions or concerns about this question, please let us know.
    I appreciate your time and efforts.

    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    "Windows Server General Forum" forum will be migrating to a new home on Microsoft Q&A!

    We invite you to post new questions in the "Windows Server General Forum"  forum's new home on Microsoft Q&A!

    For more information, please refer to the sticky post.
    Friday, July 31, 2020 1:10 AM
    Moderator
  • Hi, I cannot ping the FQDN. I am in discussions with my firewall support and have yet to resolve this. They think I should be configuring the DNS server. I started the process you provided but still cannot resolve. I did get an error on each server at the part to setup New Conditional Forwarders. I get a message..... A problem occurred while trying to add the conditional forwarder. The zone already exists.

    Still waiting on reply from firewall support.

    Thank you

    Saturday, August 1, 2020 6:49 PM
  • Hi,

    Are your DC also DNS server?

    If you have a domain name (such as a.com) under "Forward Lookup Zones", you can not add the same name with a.com under "Conditional Forwarder".

    We only need to set up "Forward Lookup Zones" OR "Conditional Forwarder".

    If you want to set up "Conditional Forwarder" with the same name under "Forward Lookup Zones", please delete it under "Forward Lookup Zones".



    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.



    "Windows Server General Forum" forum will be migrating to a new home on Microsoft Q&A!

    We invite you to post new questions in the "Windows Server General Forum"  forum's new home on Microsoft Q&A!

    For more information, please refer to the sticky post.

    Monday, August 3, 2020 2:21 AM
    Moderator
  • Ok, I enabled DNS forwarding in my firewall and now can ping FQDN. I will proceed with configuring the trust relationship.
    Tuesday, August 4, 2020 3:27 PM
  • I completed creating the trusts. What would be the best way to test the configuration?
    Tuesday, August 4, 2020 3:53 PM
  • Hi,
    Would you please tell us what configuration do you want to test?


    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    "Windows Server General Forum" forum will be migrating to a new home on Microsoft Q&A!

    We invite you to post new questions in the "Windows Server General Forum"  forum's new home on Microsoft Q&A!

    For more information, please refer to the sticky post.
    1 hour 51 minutes ago
    Moderator