8 Dec

Active Directory – Creating One Way Domain Trusts

Thought I might do a quick blog about creating a one way trust, as I found there to be little text on this following scenario, where the primary domain has access to the other domain, but the secondary domain has only access to itself.

Ok so if you have the same requirement, first thing is don’t bother creating a child domain within the same forest of the current domain, you can’t seem to create a one way, buy default Microsoft will create a 2 way trust. So that means you must create a domain in  a separate forest, whilst there is a bit more involved in setting up the forest in terms of allowing domain admin’s rights to manage the other domain etc, it will be well worth it in the long run from a security perspective.

Anyways, do your DC promo and create a new forest, and follow the prompts there is stacks of text on this so I am not going to ramble on about this one.

Once the new domain is created, open ‘Active Directory Domains and Trusts’ on the primary domain find the domain right click, properties. go to the ‘trusts’ tab.

(before you do this setup you most likely will have DNS issues, I would spend a bit of time sorting that out first other wise the next steps will not work)

Now you should have nothing there are present.

here you will have enter the other forests domain, choose trust with a windows domain, then next.

Make sure you choose a one way: incoming

image

 

THIS is really important, if you don’t choose ‘This domain only’  it will NOT create a one way trust in the way that we want.

image

enter a password for the trust

image

Here say no, because at this point you only have the one trust so you have nothing to confirm the trust with at this point.

image

 

No go back and do the same with other domain however the only difference is your looking for the primary domain as a trust and you will need to specify a outgoing trust:

“Outgoing: Users in the specified domain can authenticate in the local domain, but users in the local domain cannot authenticate in the specified domain.”

 

Once you have done this then go to the properties and then you will see a validate, click on this put your administrator credentials for each domain, on completion it should give you the below message:

image

 

That’s it you have a one way trust!

for more reading on this have a look at:http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/deploy/dgbe_sec_ztsn.mspx?mfr=true