You can use the Active Directory Domains and Trusts snap-in to create external trusts.

Membership in Domain Admins, or Enterprise Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477.

Creating an external trust

To create an external trust using the Windows interface
  1. Open Active Directory Domains and Trusts. To open Active Directory Domains and Trusts, click Start, click Administrative Tools, and then click Active Directory Domains and Trusts.

  2. In the console tree, right-click the domain node for the domain that you want to establish a trust with, and then click Properties.

  3. On the Trusts tab, click the New Trust, and then click Next.

  4. On the Trust Name page, type the Domain Name System (DNS) name (or NetBIOS name) of the domain, and then click Next.

  5. On the Trust Type page, click External trust, and then click Next.

  6. On the Direction of trust page, do one of the following:

    • To create a two-way, external trust, click Two-way.

      Users in this domain and users in the specified domain will be able to access resources in either domain.

    • To create a one-way, incoming external trust, click One-way:incoming.

      Users in the specified domain will not be able to access any resources in this domain.

    • To create a one-way, outgoing external trust, click One-way:outgoing.

      Users in this domain will not be able to access any resources in the specified domain.

  7. Continue to follow the instructions in the wizard.

Additional considerations

  • To perform this procedure, you must be a member of the Domain Admins group or the Enterprise Admins group in Active Directory Domain Services (AD DS), or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure. For more information, search for "using run as" in Help and Support.

  • If you have the appropriate administrative credentials for each domain, you can create both sides of an external trust at the same time by clicking Both this domain and the specified domain on the Sides of Trust page.

  • If you want to allow users from the specified domain to obtain access to all the resources in this domain, click Allow authentication for all resources on the Outgoing Trust Properties page. Use this option when both domains belong to the same organization.

  • If you want to restrict users in the specified domain from obtaining access to any of the resources in this domain, click Allow authentication only for selected resources in the local domain on the Outgoing Trust Properties page. Use this option when each domain belongs to a separate organization.

Additional references

To create an external trust using a command line
  1. Open a command prompt. To open a command prompt, click Start, click Run, type cmd, and then click OK.

  2. Type the following command, and then press ENTER:

    netdom trust <TrustingDomainName> /d:<TrustedDomainName> /add
    

Parameter Description

netdom trust

Manages or verifies the trust relationship between domains.

<TrustingDomainName>

Specifies the DNS name (or NetBIOS name) of the trusting domain in the trust that is being created.

/d:

Specifies that the DNS domain name that follows is a trusted domain.

<TrustedDomainName>

Specifies the DNS name (or NetBIOS name) of the domain that will be trusted in the trust that is being created.

/add

Specifies that a trust be created.

To view the complete syntax for this command, and for information about entering user account information, at a command prompt, type the following command, and then press ENTER:

netdom trust | more 

Additional considerations

  • To perform this procedure, you must be a member of the Domain Admins group or the Enterprise Admins group in AD DS, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure. For more information, search for "using run as" in Help and Support. You can verify trusts for shortcut, external, and forest trusts but not realm trusts.

  • You can use other parameters to assign a password or determine the direction of the trust. For example, to make a two-way, transitive trust, use the following syntax:

    netdom trust <TrustingDomainName> /d:<TrustedDomainName> /add /twoway 
    

Additional references