To create a forest trust
- Open Active Directory Domains and Trusts.
- In the console tree, right-click the domain node for the forest root domain, and then click Properties.
- On the Trust tab, click New Trust, and then click Next.
- On the Trust Name page, type the DNS name (or NetBIOS name) of another forest, and then click Next.
- On the Trust Type page, click Forest trust, and then click Next.
- On the Direction of Trust page, do one of the following:
- To create a two-way, forest trust, click Two-way.
Users in this forest and users in the specified forest can access resources in either forest. - To create a one-way, incoming forest trust, click One-way:incoming.
Users in the specified forest will not be able to access any resources in this forest. - To create a one-way, outgoing forest trust, click One-way:outgoing.
Users in this forest will not be able to access any resources in the specified forest.
- To create a two-way, forest trust, click Two-way.
- Continue to follow the wizard.
* Reference: http://technet.microsoft.com/en-us/library/cc780479(WS.10).aspx
Useful Troubleshooting Commands
When cross-forest trusts fail, the secure channel should be verified to determine that a foreign DC can be identified and contacted. This post provides information on troubleshooting techniques in this scenario, and is really only the first step in troubleshooting - establishing that there are no DC locator issues determining what should be a valid DC across the trust.
The following commands are useful for troubleshooting secure channel issues, specifically name resolution, DC locator and connectivity:
· nltest /domain_trusts /v
· nltest /sc_query:%trusted_domain%
· nltest /sc_reset:%trusted_domain%[\%DCname%]
· nslookup -debug -type=srv _ldap._tcp.dc._msdcs.%domainFQDN%
No comments:
Post a Comment