Partager via


Create a Forest Trust

Applies To: Windows Server 2008

You can use Active Directory Domains and Trusts to create trust relationships between domains.

Membership in Domain Admins or Enterprise Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

To create a forest trust

  1. Open Active Directory Domains and Trusts. To open Active Directory Domains and Trusts, click Start, click Administrative Tools, and then click Active Directory Domains and Trusts.

  2. In the console tree, right-click the domain that you want to administer, and then click Properties.

  3. On the Trusts tab, click New trust, and then click Next.

  4. On the Trust Name page, type the Domain Name System (DNS) name (or NetBIOS name) of the domain, and then click Next.

  5. On the Trust Type page, click Forest trust, and then click Next.

  6. On the Direction of Trust page, do one of the following:

    • To create a two-way, forest trust, click Two-way.

      Users in this forest and users in the specified forest will be able to access resources in either forest.

    • To create a one-way, incoming forest trust, click One-way:incoming.

      Users in the specified forest will not be able to access any resources in this forest.

    • To create a one-way, outgoing forest trust, click One-way:outgoing.

      Users in this forest will not be able to access any resources in the specified forest.

  7. Continue to follow the instructions in the wizard.

Additional considerations

  • To perform this procedure, you must be a member of the Domain Admins group or Enterprise Admins group in Active Directory Domain Services (AD DS), or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure. For more information, search for "using run as" in Help and Support.

  • If you have the appropriate administrative credentials for each forest, you can create both sides of a forest trust at the same time by clicking Both this domain and the specified domain on the Sides of Trust page.

  • If you want users from the specified forest to have access to all computers in the local forest, on the Outgoing Trust Properties page, click Forest-wide authentication. This option is preferred when both forests belong to the same organization.

  • If you want to selectively limit authentication to particular users and groups from the specified forest, on the Outgoing Trust Properties page, click Selective authentication. This option is preferred if the specified forest belongs to a separate organization.

  • In addition to creating new trusts, you can modify existing trusts by clicking the Trust tab.

Additional references