How to Setup a Domain Trust [Forest Trust] - Between Two Domains on Windows Server

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hey how are you my name is emilio thank you so much for spending the time and joining me on this video today we are looking at active directory domain trusts so you got two domains that you want to connect together to share resources to share permissions whatever that may be we're going to be talking about that today please do subscribe click on that button on the bell so you don't miss out on [Applause] anything so let's talk about domain truss what they are and how to actually set one up now before we do get into the video you're probably an i.t tech you're probably an id professional of some sort check out my description below because i've got a number of different training courses big length training courses available around all things technology some of these may be very very helpful to you and help you in your it career so do check those out if you do want to learn more but back onto domain trusts we're going to be doing this demo on two different domains we've got a windows server 2019 domain and we've also got an older windows server 2008 r2 domain and we're going to connect both of these domain controllers essentially the two domains that we've got running on these two together and form a domain trust so we're now going to log in to my computers into my servers themselves and set this up okay so we've logged into a domain controller now at the moment i've got two domain controllers i've got one at the ip address of 172 16 1.145 this particular domain controller is running windows server 2019 and you'll see that it is a data center evaluation copy of course you want to be doing this in a valid uh licensed copy our other domain controller is this one right here and this is at 17216 1.30 and this is a separate domain now this is under the redghost.com domain right dc server one is the name of the actual domain controller under this ip and that is the domain itself redghost.com while the other one is homedemo.com now of course what we want to do is when we are setting what's called a trust is we are establishing a connection between one domain and then the other domain you're actually essentially connecting the two domains together so they can interact with each other and you can actually share resources share security groups share users all of that sort of stuff one common reason that you may want to set up a domain trust is in the event for example one company that you work at for example purchases another company this other company has their own domain and now all of a sudden you've got two domains that are being managed independent of each other well you can either do two things you either move and migrate everything from this other domain over to this new domain or you actually get them connected together so that you can use the things together and then you can actually migrate things directly from one domain to another using a tool uh for migration a d the my the adm mt id migration tool which we're going to look at at a separate in another video but uh you essentially would transfer those services over or you could remain using the two domains just in this domain trust and the great thing about having these two domains is that it just lets you easily be able to use all the resources between the two domains as if they can talk to each other so for example john smith who may be a user within home demo he's a marketing user and for example he's now working with another marketing user that's now part of this other domain redghost.com because remember these are two companies that are now going to use the services together at one there's now two marketing people and what if marketing person one wants to use some files that are on the marketing server or the marketing file server on the other domain well he doesn't have to create you don't have to go and create a separate account on this other domain you could actually still log in with the same username and password the same credentials that were set up in perhaps in the other domain under redghost.com and you'll actually be able to authenticate and then log in to homedemo.com domain because there's the trust established between those two domains so it's a great feature and look it's not very common that you need to go and establish a domain trust but once you do know how to do it in the event that you do have to do it in future it makes the process very very easy and it saves iot administrators a lot of headaches especially when you're looking at company mergers takeovers and all that sort of stuff as well so let's look at doing this right now so we've got ourselves our homedemo.com and our redghost.com now of course let's just assume that we've got a company in one state and another company is in a different state perhaps in the same country the first thing is that those two networks those two companies they need to be able to communicate with each other over a network all right so now this is the job and the responsibility of a network team to establish connections between these two sites so you could they could have dedicated connections they could have a mpls set up they could have a vpn tunnel something that at least establishes some physical connection from point a to point b both ways right so company a needs to be able to access the network in company b and vice versa so all of the networking stuff needs to be set up first in the back end to be able to get this connection even working in the first place because if the two computers or if the two networks cannot even communicate with each other then you're not going to be able to set up the trust between these two companies at all okay so that's not part of this video not part of this video itself so that's something for a network person to go and set up and establish make sure that a router can talk to another router that a firewall can talk to another firewall that switches can talk to each other between these two networks once all of that does all that stuff happens it's now the role of the systems administrator the systems engineer to now establish the trust itself now what you need to do first is i would almost elementary the first thing that i would do is see whether they can ping each other now in my case both of my um domain controllers are part of the same subnet so i've just set this up very very easily because it's part of a demo but i know that the ip address of this particular domain controller under homedemo.com is 145 while the ip of this one is 30 as you can see right there so the first thing that i'm going to try to do is actually try to go and ping i'm going to try and ping the ip address of the other domain controller okay 1.30 now in my case i'm getting a reply that is good let's try the exact opposite over here where i'm going to now try to ping the domain controller of my other domain all right and i can ping it that's great now if that isn't working talk to your network guys get that working you need to be able to do that first the next step is now let's see if i can ping the actual domain itself so can i ping homedemo.com no i can't well it's giving me something funky but i think it's actually going out to the internet so i'm going to actually cancel that but it's actually having some form of issues okay it's not actually doing what it needs to be doing and if i can do the same thing over here let's say if i try to ping redghost.com it's actually not going to be able to work either all right so what i need to do is now i need to go into my dns and establish some stuff in there to actually make sure that it can communicate with each other so the first thing that i'm going to go do is actually set up what's called a almost like a connection between my two dns's right so i need i need my dns to be established my actual dns forward and look up zones and secondary zones and all that conditional forwarders all configured so that the two dns's can see each other first so that's almost the first step before we go and get these two truss working all right so what i'm going to do is i'm going to go into one of my dns managers right in here so we're assuming here of course that your domain controller is your dns server as well okay so we're going with that assumption if it's not you'll have to look at an alternate way but there are ways to do it either way but we're assuming that we've got dns manager we've got dns running on our domain controller now what i'm going to go do is i've got my primary domain right here called home demo i'm going to right click on this and i'm going to say properties and i'm going to say zone transfer so a zone transfer sends a copy of the zone to the servers that request a copy so i'm going to allow right here a zone transfer i'm also going to do that on my other domain forward look up properties okay zone transfer i'm going to allow zone transfer and apply okay now the next step is now to actually do what's called if i right click on here i'm going to say new zone next and i'm going to create a secondary zone so create a copy of a zone that exists on another server this option helps balance the processing load of primary servers and provides a fault tolerance of course this is really helpful if you have multiple dns servers now in our case because we've allowed this particular setup first we actually are allowing it under the the zone transfer to any server theoretically now i should be able to go into secondary zone and say next all right so remember i'm under the red ghost.com and my other domain is under homedemo.com so what i'm going to go do is i'm actually typing here homedemo.com all right and say next and i'm going to type in here the ip address of my domain controller okay great hey that's good it's actually seen it so you see it's got a nice big tick and it's actually found the actual server name the domain controller name is wind server dc01 so it's found it's validated that's looking good if you're getting some issues here go back and just double check some stuff you may need to make sure that the obviously the network team have done what they need to do to establish the connection between those two first all right so once that's done click on next completing the new zone you've successfully completed the new zone wizard all right for home demo forward homedemo.com dns all right of course we're doing this from redghost.com and we can click on finish and now look at this right in here i've now got my homedemo.com listed under a forward lookup zone all right let's just go into here now we're going to do the same thing over here we're going to go we're going to say new zone next secondary zone next we're going to call it redghost.com going to give it the ip address of my other domain controller of course this could be a fully qualified name as well great let's pick that up there you go nice tick dc servo 1 next finish and it's now got it right there and there is all my stuff right so that is the first step done so now dns is looking good we are very very happy with how that is looking so then really the next thing that you should then really need to be able to do is let's see if i can now ping this and look at that it's now pinging from homedemo.com it can actually now resolve against my redghost.com all right so we're looking good now you can sometimes now need to go do some conditional forwarders if you so choose to you could also do a new conditional forward and point it this way sometimes it's not needed but we're not going to do it in this case but just be aware that you may need to do conditional forwarders pointing one domain to the other but in my case i'm actually quite happy with how all of this works the next step is now to let's go into the domain and trust area within your domain controller okay so we're going to close out of our dns we're confident that everything is now working and that i've got connection between these two so here is my 145 my homedemo.com domain let's go into the other domain controller we're going to close out of dns manager and we're going to close out of command prompt and what we've got open right here is active directory domains and trusts okay so i've got it open on both here's my other domain controller you can also find this by actually going into here it's part of your windows admin list of tools it's there right there active directory domains and trust and this is the area where we're now going to establish the trust between these two domains okay so what we're going to do is uh well you don't have to do it from here but i'd like to do it from here anyway so we're going to right click on home demo right here i'm going to click on properties and bring it a bit of a general overview so this is the home demo uh domain name the description is currently empty it's going to give you an overview around the domain functional level as well as the forest functional level okay managed by who's the manager if there's anything in here and then trust so domain trust by this domain outgoing and domain trust this domain incoming so trusts go both ways they can go either outgoing only or incoming so for example anything from home demo can be outgoing to redghost.com and essentially it's just a one way trust so you could use security and permissions and users only from one domain to the other but not the other way around or you can set it up both ways in our case we're going to set it up both ways because we want both homedemo.com and redghost.com to take advantage of the security and the groups and everything between these two different domains so if you're happy with that we're gonna select new trust right here welcome to the new trust wizard so it's gonna help you to create a trust between the domain and of any of the following here's some examples a trusted is a relationship that enables users in one domain forest or realm to be authenticated in a specific domain forest or realm next here is the netbios name or the dns name so i'm going to put in the dns name so i'm going to just type in right here redghost.com remember i'm doing this from homedemo.com over to the domain redghost.com if we're happy with that we click on next so now we've got two options you've got an external trust or a forest trust now an external trust essentially is a domain to a domain trust a forest trust is a forest to a forest remember the scenario of two different companies we want to take advantage of a full connection between these two companies let's say there is a company that has multiple domains a forest that has multiple domains within it and then the other company has a forest with maybe one domain in it well you want to maybe take advantage of all of the domains that sit within the forest you essentially are creating a forest trust at the top level okay so i do have other videos that talk about the differences between a forest and a domain so you can check those out or you can check out online read some stuff around the differences between the two but we're going to actually do this at a forest level so forest to forest okay so it's a transit of trust between two forests that allow users in any of the domains in one forest to be authenticated in any of the domains in the other forest and next now do you want this to be two-way one-way incoming one-way outgoing so users if we're looking at incoming users in the domain can be authenticated in a specific domain realm or forest incoming way and then outgoing is the opposite two-way it goes both ways so we're going to select two-way right there all right create the trust for the following well the domain only the option creates the trust relationship in the local domain or both this domain and the specified domain so this option creates the trash relationship in both the local and the specified domain so for example i'm here on 145 let's go back in here and i'm going into here and if i go into my into here under trust you'll see that it's blank so you can either do two things you can go and create it in just this domain next next next and establish the trust then you'll need to go back into the other domain and do it and do it again in here a scenario where that could be useful is in the event where you've got two different companies two different ads two different domain administrators let's say you've got one domain admin on one company one domain name on the other one you don't want one domain name to have now full access to the other domain controller and do whatever they want so you're going to be working together and you both create the relationship on each of the two sides okay so that's essentially the differences now in my case i'm going to do it on both okay i've got the okay from the domain controller admin on the other side we can go ahead we're both on the phone we're communicating let's go ahead and do this both ways because it just makes it you do it once rather than doing it twice and next now we're going to specify the domain red ghost administrator passwords so this is the username and password for an account that has admin privileges domain admin or enterprise admin privileges to that specific domain all right so if somebody has full rights into the redghost.com domain okay so you're going to add those in there all right if that has gone through great if it hasn't go check out what's going on and try to re-fix that select the scope of authentication for users at redghost.com so it's a forest-wide authentication so windows will automatically authenticate users from the specific specified domain forest sorry for all resources in the local forest or selective authentication it's not across everything you can actually select specific uh forest specific resources within the forest or the domain we're going to say it enterprise wide okay forest wide so we're going to select that top option say next forest wide authentication yes we also want to do that as well but of course you can select selective if you want to go and be more specific around that okay so you've selected the following here's what's going to happen so you've got this domain home demo against this domain red ghost it's a two-way and all the information that is needed in there and if we're happy we can now click on next summary what's going on do you want to confirm the outgoing trust no do not confirm the outgoing trust well yes we want to confirm it we'll let's double check let's make sure everything's working right and yes we do want to confirm it as well here we go you successfully completed the trust the trust relationship was successfully created and confirmed route these names red ghost route these names local home demo finish there it is okay let's just go back in so if i now right click and go back into here under trust there we go i've got my home demo.com and i've now got a trust for redghost.com it's a forest level and for the uh this is the outgoing and here it is for the incoming okay now if everything has worked correctly i should be able to go back into here right click on here and there is the opposite because now it's established we did that two-way thing we trusted both sides so now homedemo.com is now visible on the other side so from redghost.com i can now see homedemo.com all right so now the trust is created that's really all there is to it to make sure that this is all okay what you can actually now do is you could actually open up active directory um here is our standard ad users and computers and of course i've got here my redghost.com domain i can go into here and i can say change domain home demo dot com okay and look at that i've now connected to the other domain from within my users and computers right click change domain go back to my original redghost.com and i'm back to that and i've got now a trust established so i theoretically now can actually log in to a computer on the redghost.com using credentials from my home demo.com domain and there you have it that's how to create a trust from start to finish between two domain controllers and between two different domains so the trust is now set up now it's your turn to go and get all this working for you please do like comment subscribe clicking on that bell on the button so you don't miss out on anything thanks for watching we'll see you next time
Info
Channel: Emilio Aguero
Views: 1,029
Rating: 5 out of 5
Keywords: windows server 2019, How to Set Up a Windows Server 2019 Domain Controller, create Two-Way Forest Trust in Active Directory Forest, Trust Relationship Between Two Forest, how to create trust between two forest step by step, two way forest trust active directory, managing active directory trusts in windows server 2019, active directory forest trust, active directory trust relationship between two domains, conditional forwarder in dns, emilio aguero
Id: t6VI6Xe3lck
Channel Id: undefined
Length: 20min 15sec (1215 seconds)
Published: Sun May 16 2021
Related Videos
Active Directory Configuration on VM in Hyper-V Windows Server 2019
JackedProgrammer
1K
Trust relationship between two domains
Sergio Morales
21K
ADMT (Active Directory Migration Tool) - ADMT 3.2 Step by Step Installation and Migration Full
Labs Hands On
91K
DON’T buy a new PC for Windows 11! - How to install
Linus Tech Tips
2.3M
Adding Windows Computers to a Windows Server 2012 Domain
Eli the Computer Guy
653K
WORLD'S BEST TREE FELLING TUTORIAL! Way more information than you ever wanted on how to fell a tree!
Guilty of Treeson @ Eastside Tree Works
4.9M
Setting up AD Trusts
Ed Goad
42
Understanding Windows Server Editions
Eli the Computer Guy
139K
70-410 Objective 5.3 - Group Scope and Nesting Groups on Windows Server 2012 R2
NetworkedMinds
20K
Understanding Mesh Networking (feat. MikroTik Audience)
Gary Explains
20K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.