none
Active Directory Trusts and Relationships

    Question

  • Hi,

    I have some questions regarding AD trusts and need your expert advise.

    Lets say I want to create a trust between Domain A and Domain B. Now while creating a trust on Domain A with Domain B we need to enter a trust password on Domain A and the same password is shared with the administrator of domain B which he enters while creating the trust at the other end of trust i.e. on domain B. Once the trust is established, the DCs will share the password with each other periodically. Now when we try to validate the trust it asks for a user name and password. So lets say I am on domain A and trying to validate the trust with domain B, I would need Domain Admin user name and password for Domain B only then I will be able to validate the trust. My questions are.

    1. If I reset the password for that account, will the trust be impacted ?

    2. Do I need to validate the trust from both the domains i.e. login to domain A and present domain B's credentials --> validate and then login to domain B, present the credentials for domain A and validate or can I validate the trust from both domain A and Domain B while logged in on domain A. If so then will it be done from incoming and outgoing trust or any other way.

    3. If the trust is not working can I reset that trust password. If yes, then how can I reset that password and from where.

    Please answer the questions. Many thanks in advance.


    Regards Puneet Pandey MCITP

    Monday, March 6, 2017 9:28 PM

Answers

All replies

  • Hi Puneet

    1. No

    2. You can perform the validation for both incoming and outgoing trust - in this case you will need to provide admin credentials for the remote domain - details at https://technet.microsoft.com/en-us/library/cc816894(v=ws.10).aspx

    3. You can use for this purpose AD Domains and Trusts console. Once the validation fails, you will be given the option to reset the password. Another option is to use netdom (details at https://technet.microsoft.com/en-us/library/cc835085%28v=ws.11%29.aspx )

    hth
    Marcin

    • Marked as answer by Puneet Pandey Tuesday, March 7, 2017 6:33 AM
    Tuesday, March 7, 2017 3:37 AM
  • Hi,

    1. If I reset the password for that account, will the trust be impacted ?

    >>>The account is used to create trust relationship. As mentioned above, you change the password of the account will not impact trust relationship.

    There is a trust relationship password, it stores in the TDO object in Active Directory. (Each domain or forest trust within an organization is represented by a Trusted Domain Object (TDO) stored in the System container within its domain). Domains in a trust relationship share the trust relationship password. And every thirty days, the trusting domain controller changes the password stored in the TDO.

    Here is an article below for your reference.

    How Domain and Forest Trusts Work

    https://technet.microsoft.com/en-us/library/cc773178%28v=ws.10%29.aspx

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Tuesday, March 7, 2017 8:57 AM
    Moderator
  • Hey Jay

    Your reply has confused me now as it is different from what Marcin mentioned.

    when we create a trust we never mention account we always use trust password which is shared with other party as well.

    So once again I think after resetting the password of an account which i am using to validate trust should not break the trust.

    Kindly confirm if that was a typo or u dont agree and has some proofs for it.


    Regards Puneet Pandey MCITP

    Tuesday, March 7, 2017 11:41 AM
  • Hi,

    Sorry, I missed "NOT".

    I agree with Marcin.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by Puneet Pandey Tuesday, March 7, 2017 12:24 PM
    Tuesday, March 7, 2017 12:06 PM
    Moderator