Creating a Forest Trusts
A forest trust is a trust between two forest root domains, created to allow all authentication requests made from one forest to reach another. The procedure for creating a forest trust is similar to the one used for creating an external trust. However, before you can create a forest trust, you must complete the following preliminary tasks.
Configure a DNS root server that is authoritative over both forest DNS servers thatn you want to form a trust with, or configure a DNS forwarder on both of the DNS servers that are authoritative for the trusting forests.Ensure that the forest functional level for both forests is Windows Server 2003.To configure a DNS forwarder, complete the following steps:
1.Click Start, point to Administrative Tools, and then click DNS.
2.In the console tree, right click the DNS server you want to configure, and then click Properties.
3.In the Properties dialog box for the DNS server, click the Forwarders tab.
4.In the Forwarders tab, specify the DNS domain names that require queries to be forwarded (conditional forwarding) in the Domain box by clicking New and typing the domain name. Type the IP address(es) of the server(s) to which the queries are forwarded in the Selected Domain’s IP Address List, and then click Add.
5. Click OK in the Forwarders tab.
Note You can raise the functional level of a forest to Windows Server 2003 only if all domain controllers in the forest are running Windows Server 2003 and all domain functional levels in the forest have been raised to Windows Server 2003. To change the forest functional level to Windows Server 2003, refer to Chapter 3, “Administering Active Directory.”
To create a forest trust, complete the following steps:
1. Click Start, point to Administrative Tools, and then click Active Directory Domains And Trusts.
2.In the console tree, right-click the domain node for the domain in the first forest for which you want to create a forest trust, and then click Properties.
3.In the Properties dialog box, click the Trusts tab.
4.In the Trusts tab, shown previously in Figure 4-17, click New Trust.
5.On the Welcome To The New Trust Wizard page, click Next.
6.On the Trust Name page, shown previously in Figure 4-18, type the DNS name of the target domain in the second certification provider with which you want to establish a trtist in the Name box, and then click Next.
7.On the Trust Type page, shown previously in Figure 4-29, select the Forest Taist option, and then click Next.
Note If the Forest Trust option does not appear, you must confirm that you have completed the preliminary tasks for creating a forest trust.
8. On the Direction Of Trust page, shown previously in Figure 4-19, select one of thefollowing choices:If you want all users in both forests to be able to access all free Microsoft practice questions anywhere in either forest, click Two-Way, and then click Next.
If you want only users in this forest to be able to access resources anywhere in the second forest, click One-Way: Incoming, and then click Next.
If you want only users in the second forest to be able to access resources anywhere in this forest, click One-Way: Outgoing, then click Next.
Note By selecting the One-Way. Incoming option, users in the second forest will not be able to access any resources in this forest. By selecting the One-Way: Outgoing option, users in this forest will not be able to access any resources in the second forest.
9. On the Sides Of Trust page, shown previously in Figure 4-20, select one of the following choices:
Select This Domain Only to create the trust relationship in the local forest. Click Next.
Select Both This Domain And The Specified Domain to create a trust relationship in the local CompTIA Security+ and a trust relationship in the specified forest. If you select this option, you must have trust creation privileges in the specified forest. Click Next.
10. Select one of the following paths, depending on your choices in steps 8 and 9:
If you selected Two-Way or One-Way: Outgoing in step 8, and This Domain Only in step 9, the Outgoing Trust Authentication Level page, shown previously in Figure 4-21, appears. Select Domain Wide Authentication to automatically authenticate all users in the specified forest for all resources in the local forest. Select Selective Authentication to not automatically authenticate all users in the specified forest for all resources in the local forest. Click Next. On the Trust Password page, shown previously in Figure 4-22, type a password for the trust in the Trust Password and Confirm Trust Password boxes.