Active Directory – Creating One Way Domain Trusts
Thought I might do a quick blog about creating a one way trust, as I found there to be little text on this following scenario, where the primary domain has access to the other domain, but the secondary domain has only access to itself.
Ok so if you have the same requirement, first thing is don’t bother creating a child domain within the same forest of the current domain, you can’t seem to create a one way, buy default Microsoft will create a 2 way trust. So that means you must create a domain in a separate forest, whilst there is a bit more involved in setting up the forest in terms of allowing domain admin’s rights to manage the other domain etc, it will be well worth it in the long run from a security perspective.
Anyways, do your DC promo and create a new forest, and follow the prompts there is stacks of text on this so I am not going to ramble on about this one.
Once the new domain is created, open ‘Active Directory Domains and Trusts’ on the primary domain find the domain right click, properties. go to the ‘trusts’ tab.
(before you do this setup you most likely will have DNS issues, I would spend a bit of time sorting that out first other wise the next steps will not work)
Now you should have nothing there are present.
here you will have enter the other forests domain, choose trust with a windows domain, then next.
Make sure you choose a one way: incoming
THIS is really important, if you don’t choose ‘This domain only’ it will NOT create a one way trust in the way that we want.
enter a password for the trust
Here say no, because at this point you only have the one trust so you have nothing to confirm the trust with at this point.
No go back and do the same with other domain however the only difference is your looking for the primary domain as a trust and you will need to specify a outgoing trust:
“Outgoing: Users in the specified domain can authenticate in the local domain, but users in the local domain cannot authenticate in the specified domain.”
Once you have done this then go to the properties and then you will see a validate, click on this put your administrator credentials for each domain, on completion it should give you the below message:
That’s it you have a one way trust!
for more reading on this have a look at: http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/deploy/dgbe_sec_ztsn.mspx?mfr=true
January 20th, 2009 at 8:42 am
[...] - MOVED Posted by bradmarsh under Microsoft, Software, Techie This Post has moved: http://bradmarsh.net/index.php/2008/08/04/active-directory-creating-one-way-domain-trusts/ [...]
December 23rd, 2009 at 7:31 am
With amzing grace! Just gratifying! Your writing style is delightful and the way you dealt the subject with grace is deserving.Since i am intrigued, I make bold you are an expert on this topic. I am subscribing to your incoming updates from now on.
September 17th, 2010 at 4:12 pm
Your blog provided us with valuable information to work on.