You can use the Active Directory Domains and Trusts snap-in to create external trusts.
Membership in Domain Admins, or Enterprise Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477.
Creating an external trust
To create an external trust using the Windows interface |
-
Open Active Directory Domains and Trusts. To open Active Directory Domains and Trusts, click Start, click Administrative Tools, and then click Active Directory Domains and Trusts.
-
In the console tree, right-click the domain node for the domain that you want to establish a trust with, and then click Properties.
-
On the Trusts tab, click the New Trust, and then click Next.
-
On the Trust Name page, type the Domain Name System (DNS) name (or NetBIOS name) of the domain, and then click Next.
-
On the Trust Type page, click External trust, and then click Next.
-
On the Direction of trust page, do one of the following:
- To create a two-way, external trust, click
Two-way.
Users in this domain and users in the specified domain will be able to access resources in either domain.
- To create a one-way, incoming external trust,
click One-way:incoming.
Users in the specified domain will not be able to access any resources in this domain.
- To create a one-way, outgoing external trust,
click One-way:outgoing.
Users in this domain will not be able to access any resources in the specified domain.
- To create a two-way, external trust, click
Two-way.
-
Continue to follow the instructions in the wizard.
Additional considerations
- To perform this procedure, you must be a
member of the Domain Admins group or the Enterprise Admins group in
Active Directory Domain Services (AD DS), or you must
have been delegated the appropriate authority. As a security best
practice, consider using Run as to perform this procedure.
For more information, search for "using run as" in Help and
Support.
- If you have the appropriate administrative
credentials for each domain, you can create both sides of an
external trust at the same time by clicking Both this domain and
the specified domain on the Sides of Trust page.
- If you want to allow users from the specified
domain to obtain access to all the resources in this domain, click
Allow authentication for all resources on the Outgoing
Trust Properties page. Use this option when both domains belong
to the same organization.
- If you want to restrict users in the
specified domain from obtaining access to any of the resources in
this domain, click Allow authentication only for selected
resources in the local domain on the Outgoing Trust
Properties page. Use this option when each domain belongs to a
separate organization.
Additional references
To create an external trust using a command line |
-
Open a command prompt. To open a command prompt, click Start, click Run, type cmd, and then click OK.
-
Type the following command, and then press ENTER:
netdom trust <TrustingDomainName> /d:<TrustedDomainName> /add
Parameter | Description |
---|---|
netdom trust |
Manages or verifies the trust relationship between domains. |
<TrustingDomainName> |
Specifies the DNS name (or NetBIOS name) of the trusting domain in the trust that is being created. |
/d: |
Specifies that the DNS domain name that follows is a trusted domain. |
<TrustedDomainName> |
Specifies the DNS name (or NetBIOS name) of the domain that will be trusted in the trust that is being created. |
/add |
Specifies that a trust be created. |
To view the complete syntax for this command, and for information about entering user account information, at a command prompt, type the following command, and then press ENTER:
netdom trust | more
Additional considerations
- To perform this procedure, you must be a
member of the Domain Admins group or the Enterprise Admins group in
AD DS, or you must have been delegated the appropriate
authority. As a security best practice, consider using Run
as to perform this procedure. For more information, search for
"using run as" in Help and Support. You can verify trusts for
shortcut, external, and forest trusts but not realm trusts.
- You can use other parameters to assign a
password or determine the direction of the trust. For example, to
make a two-way, transitive trust, use the following syntax:
netdom trust <TrustingDomainName> /d:<TrustedDomainName> /add /twoway