Creating a Two Way Forest Trust Demo
Start course

Windows Active Directory Domain Services (AD DS) is a leading identity management solution for organizations of all sizes. An AD DS deployment can be as simple as a single domain controller or as complex as a multi-domain forest spread across the globe. Managing sites, domains, and forests in an AD DS environment is critical to a healthy and reliable Active Directory infrastructure. This course is intended to provide the information needed to successfully manage Windows AD sites, domains, forests, trust relationships, and replication.

In this course, we start by reviewing AD DS forest and domain trusts. Then we examine forest design considerations to create a scalable environment that can meet future demands. Next, we investigate Active Directory sites, site links, and how they relate to the organization's network configuration.  Finally, we evaluate AD DS replication and how site links can optimize replication in an AD DS environment.

Learning Objectives

  • Windows AD domains, forests, and trust relationships
  • Windows AD forests and domain design considerations
  • Creating a two-way forest trust
  • Active Directory sites and site topology
  • Creating an Active Directory site
  • Windows AD sites and replication
  • Creating Active Directory site links

Intended Audience 

  • System administrators with responsibilities for managing hybrid identities
  • Subject matter experts in configuring and managing Active Directory workload on-premises and in Azure
  • Anyone preparing for the Azure AZ-800: Administering Windows Server Hybrid Core Infrastructure exam



In the demo coming up, we'll create a Two-Way Forest Trust. Before we start, let's review the current configuration and requirements. There are two domain controllers in this environment: DomainABC on DomainA, and DomainBDC on domain B. These are stand-alone domain controllers each in their own forest root domain. In order to establish a trust relationship, we need to have network connectivity between the two domains. This could be by a VPN or some other private network. 

For this example, they're connected on a local network. We also need to configure DNS on both domains. In order to look up and use resources over a forest trust, members of one domain need to be able to locate resources in the other domain. We'll use conditional forwarders to forward lookups for the and domain to the correct DNS server. To follow along, you'll need a domain controller in separate domains, and they need to be in the root forest domain. As stated already, network connectivity between the domain controllers must be in place to establish a trust relationship. Also, creating a forest trust requires Domain or Enterprise administrator rights on both domains. 

Let's go to our first domain controller to configure the conditional forwarder lookup zones and then enable the trust. We'll start by configuring DNS. Each domain controller is in a root forest domain and has authority over the DNS domain. For example, from domain A, NS lookup will return the IP address for domainADC.domainacom. Let's open the command prompt and take a look. That's the correct IP address for domaiadc.domainacom. Let's take a look at what happens if we do an NS lookup on We get a time out. We can't resolve that host because the server does not know anything about domain B. This works in the other direction as well. 

We would get similar results from the same set of commands on the domain B domain controller. Let's fix that with a conditional forwarder. A conditional forwarder will tell our DNS servers that if a request comes in from a specified domain, the domain we're trying to create a trust with in this case, send that look up request to another server. The domain controller on the domain we're creating the trust with. From the first Domain Controller, go to DNS under Windows Administrative tools. Expand the domain controller and we'll see conditional forwarders. Right click on conditional forwarders and select new conditional forwarder. For for this DNS server, add the domain of the trusted domain. We're on domain A, so add the domain name for domain B Next, add the IP address of the DNS server for that domain or other domain controller in this example. 

It's not uncommon to see an error because reverse lookup isn't working. That won't prevent DNS lookups. Check the box to store the conditional forwarder with Active Directory. This will replicate the settings to all DNS servers in the forest. Click 'OK.' Let's go back to the command prompt. Let's run the last NS look up command again, the one that looks up Now we get the correct response. That sets up our DNS on domain A to forward all requests for domain B to domain B's DNS server. Follow these same steps on the other domain controller to add a conditional forwarder to forward requests to the trusted domain before moving to the next step. Now that DNS is in place, we can create the forest trust. 

From the domain controller, Domain ABC for this example, open Active Directory Domains and Trusts under Windows Administrative tools. Right click on the forest root domain and click 'Properties'. Go to the Trust tab and click 'New Trust'. Click 'Next' at the welcome screen. Enter the DNS name of the domain we are creating the trust relationship with. for this example. Click 'Next'. At Trust Type, select forest trust. Click 'Next'. The next screen gives the option for a two-way, one-way incoming or one-way outgoing trust. Select two-way trust for this example. At the sides of trust screen, we have to select if we're creating a trust for this domain only or both this and the other domain. We'll select both this domain and the specified domain for this example. 

It is possible that both forest root domains will have different administrators, and those administrators don't have access to the other forest. In that case, each side of the trust will go through the wizard and add their side of the trust with this domain only option. We're already logged into the domain A domain controller, now we have to enter a username and password with an account that has rights to create a forest trust in the other domain. Next, we can set the trust authentication level. Leave it as forced-wide authentication and click 'Next'. Leave it as forced-wide authentication at the next screen. This is the same setting only for the other forest. Click 'Next' and click 'Next' again to create the trust. Once the trust is finished, select 'Yes' to confirm the outgoing trust. Also select 'Yes' to confirm the incoming trust. Once done, click 'Finish'. Now, we can see the outgoing and incoming transitive force trust between the domain A domain and the domain B domain. 

Let's view the setting on the other domain controller in domain B. Here we are on domain BDC. Let's go to Active Directory Domains and Trusts. Right click on the domain and go to Properties. Go to the Trust tab. It lists the transitive force trust with domain A. That shows we now have a two-way transitive trust between domain A and domain B. Let's add a user from domain A to a domain local group in domain B. We can close Active Directory Domains and Trusts and open up Active Directory Users and Computers. 

Under Users, create a new group called TrustGroup. Change the type to domain local and click 'OK'. Now let's open that group. Go to Members, 'Add', click on 'Locations', and select the domain. Search for user and the other domain. This example will use domainauser1. Click 'Apply'. Now we can grant users in domain A access to resources in a different forest. That is how to configure DNS and add a forest trust with Windows Active Directory.


About the Author

Travis Roberts is a Cloud Infrastructure Architect at a Minneapolis consulting firm, a Microsoft MVP, MCT, and author. Travis has 20 years of IT experience in the legal, pharmaceutical, and marketing industries and has worked with IT hardware manufacturers and managed service providers. In addition, Travis has held numerous technical certifications throughout his career from Microsoft, VMware, Citrix, and Cisco.