18.2 Cross-Forest Trust Relationships

Administrators must configure trust relationships manually to access resources in a different forests. Every trust relationship between each domain in the different forests must be explicitly configured.

18.2.1 Creating a Cross-forest Trust between Active Directory and Domain Services for Windows Forests

This section describes how to create a cross-forest trust between Active Directory and DSfW.

In this example, win2003ad.com is the domain name of the Active Directory forest and dsfw.com is the domain name of the DSfW forest.

Configuring the DNS Forwarders on the Domain Services for Windows Server

You need to configure a DNS forwarder on the DSfW DNS server to forward any DNS queries for the Active Directory domain to the Active Directory domain's DNS server.

  • Active Directory domain name: win2003ad.com

  • DSfW domain name: dsfw.com

  1. In the DNS Service window of the DNS/DHCP Java-based Management Console utility, click Create on the tool bar.

  2. Select Zone from the Create New DNS Object dialog box, then click OK.

  3. Select Create New Zone and specify the DNS configuration parameters as follows:

    • Specify the eDirectory context for the zone or browse to select it; that is, the container containing the DNS related objects.

    • Specify a name for the zone; that is, the domain name of the Active Directory forest.

    • Select the Zone Type as Forward.

    • Select a DNS server from the Assign Authoritative DNS Server drop-down list. This is the name of the DNS server object.

    • Click Create. A message indicates that the new forward zone has been created.

  4. Select the zone that is created.

  5. Click the Forwarding List tab. This tab displays a list of all forwarding IP addresses. To add an address to the list, click Add, select the Forwarder Address option and specify the IP address of the Active Directory forest's DNS server. Click OK.

  6. Restart DNS by using the rcnovell-named start command.

  7. To save the changes done to the nds, click the Save button.

Configuring the Reverse Lookup Zone Forwarder

You need to configure a DNS reverse lookup zone for DSfW for a Windows domain.

  1. In the DNS Service window of the DNS/DHCP Java-based Management Console utility, select All Zones click Create.

  2. Select Zone from the Create New DNS Object dialog box, then click OK.

  3. Specify the DNS configuration parameters:

    • Select Create IN-ADDR.ARPA.

    • Specify the network address. This is the IP address of the Active Directory forest's DNS server.

    • Select Forward as the Zone Type.

    • Select a DNS server from the Assign Authoritative DNS Server drop-down list. This is the name of the DNS server object.

    • Click Create. A message indicates that the zone has been created.

  4. Select the zone that is created.

  5. Click the Forwarding List tab. This tab displays a list of all forwarding IP addresses. To add an address to the list, click Add, select the Forwarder Address option and specify the IP address of the Active Directory forest's DNS server. Click OK.

  6. To save the changes done to the nds, click the Save button.

  7. Verify the DNS configuration by trying to resolve the Active Directory domain and its DNSSRV records using nslookup, as follows:

    nslookup -query=any _ldap._tcp.dc._msdcs.<AD domain name>
    For example:
    # nslookup -query=any _ldap._tcp.dc._msdcs.win2003ad.com
    Server: 192.168.1.10
    Address: 192.168.1.10#53
    Non-authoritative answer:
    ldap._tcp.dc._msdcs.win2003ad.com service = 0 100 389 osg-dtsrv22.
    win2003ad.com.
    Authoritative answers can be found from:
    osg-dt-srv22.win2003ad.com internet address = 192.168.1.20
    

Configuring the DNS Forward Lookup Zone on the Active Directory Server

To resolve the DSfW forest from the Active Directory forest, you must either create a forward lookup stub zone or a forwarder on the Active Directory forest's DNS server.

  1. At your Windows management workstation, click Start>Run, enter mmc in the text field and click OK.

    1. Click File>Add/Remove snap-in, click Add and select DNS snap-in, then click Add. Click Close to close the window and then click OK.

    2. Select the Forwarders tab, then click New and add a new forwarder for the DSfW domain. Specify the DSfW domain name and click OK.

    3. Select the new forwarder, specify the IP address of the DNS server of the DSfW domain, then click Add.

    4. Verify the DNS configuration by using nslookup to resolve the Active Directory domain and its DNS SRV records, as follows:

      nslookup -query=any _ldap._tcp.dc._msdcs.<DSfW domain name>
      
  2. Right-click Reverse Lookup Zones, select New Zone.

    1. Select Primary Zone. Deselect the Store the zone in Active Directory option.

    2. Specify the Network IP and click Finish. The zone is now created.

    3. Right-click the newly created zone to create a PTR record and enter the required details.

  3. If the Active Directory domain's Domain Functional Level is not Windows Server 2003, do the following to raise it:

    1. Open Active Directory Domains and Trusts snap-in from the MMC.

    2. Right-click the icon representing the Active Directory domain, select Raise Domain Functional Level from the menu, then set it to Windows Server 2003.

  4. If the Active Directory forest's Forest Functional Level is not Windows Server 2003, do the following to raise it:

    1. Right-click the Active Directory Domains and Trusts snap-in from MMC.

    2. Select Raise Forest Functional Level from the menu and set it to Windows Server 2003.

Creating the Trust

  1. At your Windows management workstation, click Start>Run, enter mmc in the text field and click OK.

  2. Click File>Add/Remove snap-in, click Add and select Active Directory Domains and Trusts snap-in, then click Add.

  3. Click Close, then click OK.

  4. Right-click the DSfW domain, then select Properties.

  5. Select New Trust from the Trusts tab, then click OK.

  6. Click Next to start creating a new trust.

  7. Specify the DNS name (or NetBIOS name) of the Active Directory forest, then click Next.

  8. Select Forest trust, then click Next.

  9. To select the direction of trust, do one of the following:

    • Click Two-way to create a two-way forest trust.

    • Click One-way:incoming to create a one-way incoming forest trust.

    • Click One-way:outgoing to create a one-way outgoing forest trust.

  10. Click Next.

  11. Select Both this domain and the specified domain and click Next.

  12. Specify the user name and password of the Active Directory domain administrator, then click Next.

  13. Select Forest-wide authentication to authorize users to use resources in the local forest or those identified by the administrator, then click Next.

  14. Select Forest-wide authentication to authenticate Active Directory forest users to use resources in the dsfw.com forest or those identified by the administrator, then click Next.

  15. Review the trust settings and complete the creation of trust by clicking Next.

  16. Click any option depending on your choice, then click Next.

  17. Click any option depending on your choice, then click Next.

    NOTE:In Step 16 and Step 17, if you select Yes option to confirm the trust, ensure that you validate the trust later by selecting Properties>Validate option.

  18. Complete the trust creation by clicking Finish.

  19. The new domain summary appears in the Trusts page.

Verifying the Trust

To verify that the DNS configuration is correct:

  1. Verify that the Log on to drop-down list in the Login window of a Windows XP machine that is joined to the Domain Services for Windows domain has an entry for the Active Directory domain. For other higher versions of Windows like Windows 7 and Windows 8, follow the instructions in Step 2.

  2. Try to log on to the Windows machine that is joined to the Domain Services for Windows domain with an Active Directory domain user principal name.

  3. Verify that the Log on to field in the Login window of a Windows XP machine that is joined to the Active Directory domain has an entry for the Domain Services for Windows domain. For other higher versions of Windows like Windows 7 and Windows 8, follow Step 4.

  4. Try to log on to the Windows machine that is joined to the Active Directory domain with a Domain Services for Windows domain user principal name.

18.2.2 Creating a Cross-forest Trust between two Domain Services for Windows Forests

This section describes how to create a cross-forest trust between two DSfW forests.

In this example, there are two DSfW forests: dsfw1.com and dsfw2.com.

Configuring the DNS Forwarders on the Domain Services for Windows Server

You need to configure a DNS forwarder on the first DSfW DNS server (dsfw1.com) to forward any DNS queries for the second DSfW domain(dsfw2.com). The queries are forwarded to the DNS server of the second domain.

  1. In the DNS Service window of the DNS/DHCP Java-based Management Console utility, click Create on the tool bar.

  2. Select Zone from the Create New DNS Object dialog box, then click OK.

  3. Select Create New Zone and specify the DNS configuration parameters as follows:

    • Specify the eDirectory context for the zone or browse to select it; that is, the container containing the DNS related objects.

    • Specify a name for the zone; that is, the DSfW domain name with which you want to create trust (second domain).

    • Select the Zone Type as Forward.

    • Select a DNS server from the Assign Authoritative DNS Server drop-down list. This is the name of the DNS server object.

    • Click Create. A message indicates that the new forward zone has been created.

  4. Select the zone that is created.

  5. Click the Forwarding List tab. This tab displays a list of all forwarding IP addresses. To add an address to the list, click Add, select the Forwarder Address option and specify the IP address of the DNS server of the DSfW domain with which you want to create trust (second domain). Click OK.

  6. Restart DNS by using the rcnovell-named start command.

  7. To save the changes done to the nds, click the Save button.

Repeat steps Step 1 to Step 7 to create forwarder for the first DSfW domain (dsfw1.com) in the DNS server of the second DSfW domain (dsfw2.com).

Configuring the Reverse Lookup Zone Forwarder

You need to configure a reverse lookup zone for the second DSfW domain on the DNS server of the first DSfW domain.

  1. In the DNS Service window of the DNS/DHCP Java-based Management Console utility, select All Zones click Create.

  2. Select Zone from the Create New DNS Object dialog box, then click OK.

  3. Specify the DNS configuration parameters:

    • Select Create IN-ADDR.ARPA.

    • Specify the network address. This is the IP address of the DNS server of the DSfW domain with which you want to create a trust.

    • Select Forward as the Zone Type.

    • Select a DNS server from the Assign Authoritative DNS Server drop-down list. This is the name of the DNS server object.

    • Click Create. A message indicates that the zone has been created.

  4. Select the zone that is created.

  5. Click the Forwarding List tab. This tab displays a list of all forwarding IP addresses. To add an address to the list, click Add, select the Forwarder Address option and specify the IP address of the Active Directory forest's DNS server. Click OK.

  6. To save the changes done to the nds, click the Save button.

  7. Verify the DNS configuration by trying to resolve the DSfW domain with which you want to create trust and its DNS SRV records using nslookup, as follows:

    nslookup -query=any _ldap._tcp.dc._msdcs.<AD domain name>
    For example:
    # nslookup -query=any _ldap._tcp.dc._msdcs.dsfw2.com
    Server: 192.168.1.10
    Address: 192.168.1.10#53
    Non-authoritative answer:
    ldap._tcp.dc._msdcs.dsfw2.com service = 0 100 389 osg-dtsrv22.
    dsfw2.com.
    Authoritative answers can be found from:
    osg-dt-srv22.dsfw2.com internet address = 192.168.1.20
    

Repeat steps Step 1 to Step 7 to create forwarder for the reverse lookup zone of the first DSfW domain (dsfw1.com) in the DNS server of the second DSfW domain (dsfw2.com).

Creating the Trust

  1. At your Windows management workstation which is joined to the first DSfW domain, click Start>Run, enter mmc in the text field and click OK.

  2. Click File>Add/Remove snap-in, click Add and select Active Directory Domains and Trusts snap-in, then click Add.

  3. Click Close, then click OK.

  4. Right-click the first DSfW domain(dsfw1.com), then select Properties.

  5. Select New Trust from the Trusts tab, then click OK.

  6. Click Next to start creating a new trust.

  7. Specify the DNS domain name (or NetBIOS name) of the second DSfW forest(dsfw2.com), then click Next.

  8. Select Forest trust, then click Next.

  9. To select the direction of trust, do one of the following:

    • Click Two-way to create a two-way forest trust.

    • Click One-way:incoming to create a one-way incoming forest trust.

    • Click One-way:outgoing to create a one-way outgoing forest trust.

  10. Click Next.

  11. Select Both this domain and the specified domain and click Next.

  12. Specify the user name and password of the second DSfW domain administrator, then click Next.

  13. Select Forest-wide authentication to authorize users to use resources in the local forest or those identified by the administrator, then click Next.

  14. Select Forest-wide authentication to authenticate the second DSfW forest users to use resources in the first DSfW forest or those identified by the administrator, then click Next.

  15. Review the trust settings and complete the creation of trust by clicking Next.

  16. Click any option depending on your choice, then click Next.

  17. Click any option depending on your choice, then click Next.

    NOTE:In Step 16 and Step 17, if you select Yes option to confirm the trust, ensure that you validate the trust later by selecting Properties>Validate option.

  18. Complete the trust creation by clicking Finish.

  19. The new domain summary appears in the Trusts page.

Verifying the Trust

To verify that the trust creation is correct:

  1. Verify that the Log on to drop-down list in the Login window of a Windows machine that is joined to the first DSfW domain has an entry for the second DSfW domain.

  2. Try to log on to the Windows machine that is joined to the first DSfW domain with the second DSfW domain’s user principal name.

  3. Verify that the Log on to field in the Login window of a Windows machine that is joined to the second DSfW domain has an entry for the first DSfW domain.

  4. Try to log on to the Windows machine that is joined to the second DSfW domain with the first DSfW domain’s user principal name.

18.2.3 Shortcut Trusts

DSfW supports shortcut trusts within a tree. The procedure to create and use a shortcut trust is similar to how shortcut trusts are created and used in Microsoft Active Directory.