How to Establish a Trust Relationship Between Active Directory Forests

In enterprise environments, it’s often necessary for users in one Active Directory (AD) forest to access resources in another. This is where trust relationships come into play. These trusts are commonly used during mergers, acquisitions, or cross-organization integrations.

This guide walks you through setting up a two-way trust relationship between two separate forests—contoso.loc and test.loc.

What Is a Trust Relationship?

A trust allows authentication across AD domains. With it, users from one forest can securely access resources in another. However, these trusts must be configured between the root domains of each forest.

Prerequisites

Before configuring a trust, ensure the domain controllers from both forests can communicate with each other and resolve DNS names correctly. This is achieved by configuring DNS Conditional Forwarders.

Set Up Conditional Forwarding:

1. Open DNS Manager (dnsmgmt.msc) on the contoso.loc domain controller.
2. Navigate to Conditional Forwarders.
3. Create a new forwarder for test.loc:
   • Enter the domain name (test.loc)
   • Add the IP address of the domain controller from test.loc
   • Enable “Store this conditional forwarder in Active Directory”
   • Replicate to All DNS servers in this domain
4. Repeat the same on the test.loc domain controller for contoso.loc.

Configure the Trust Relationship

After DNS is correctly set up, follow these steps:

1. Launch Active Directory Domains and Trusts (domain.msc) on contoso.loc.
2. Right-click your domain, go to Properties, and open the Trusts tab.
3. Click New Trust and launch the wizard.
4. Enter the name of the other domain (test.loc).
5. Choose the trust type:
   • External Trust: A one-to-one trust between root domains (non-transitive).
   • Forest Trust: Transitive trust across all child domains within each forest.
6. Choose the trust direction:
   • Two-way: Both domains trust each other.
   • One-way incoming: Only your domain accepts users from the other.
   • One-way outgoing: Your users can access the other domain’s resources.
7. Decide where to create the trust:
   • This domain only
   • Both this domain and the specified domain
8. Enter credentials of a user in test.loc with Enterprise Admin rights.
9. Choose authentication scope for users from test.loc:
   • Domain-wide authentication: Full access within your domain.
   • Selective authentication: Only specific resources can be accessed.
10. Configure outbound authentication rules for your own users.
11. Proceed through the wizard and verify that the trust was successfully established.

SID Filtering Warning

Once the trust is active, you may see a security warning about SID filtering. By default, AD filters out Security Identifiers (SIDs) from trusted domains to protect against token spoofing.

If you are migrating users and need SID History, you can temporarily disable filtering using this command:

netdom trust contoso.loc /domain:test.loc /quarantine:No

🔒 Be cautious—only disable SID filtering during controlled migrations.

Conclusion

Establishing trust relationships between AD forests is essential for enabling cross-domain authentication and collaboration. By configuring DNS properly and using the Trust Wizard, you can securely connect environments and streamline resource sharing.