Dashboard
Level 1
0 / 100 XP

Establish a Two-way Trust in Active Directory

In this lab, participants will learn how to establish a two-way trust relationship in Active Directory, enabling secure resource sharing and collaboration between two distinct domains. Through hands-on exercises, users will gain practical experience in configuring trust settings and managing permissions effectively.

Session duration: 60 minutes

Difficulty

Beginner

Lab level

Lab VMs

2

2 Windows

XP Reward

300 XP

On completion

Virtual machines

Lab VMs

Windows

SADC01

Windows

Username / Password

user / password123

Connection type

In-browser RDP / RDP

CPU / RAM

Windows

CODC01

Windows

Username / Password

user / password123

Connection type

In-browser RDP / RDP

CPU / RAM

Lab instructions

Follow the steps below to complete the lab.

Before a trust can be established between the two domains, each domain controller needs to be able to resolve the other domain's DNS records. In this step you'll create a DNS stub zone on SADC01 that points to CODC01.

Before You Begin

  • You are logged into SADC01.ad.serveracademy.com as a Domain Admin
  • You have the IP address of CODC01.co.serveracademy.com

Steps

  1. Open DNS Manager by clicking the Start menu and searching for DNS.

  2. In the left pane, expand your server and right-click Forward Lookup Zones, then select New Zone.

  3. Work through the New Zone Wizard selecting the following options:

    • Zone type: Stub Zone
    • Replication scope: replicate to all DNS servers in the forest
    • Zone name: co.serveracademy.com
    • Master DNS server: enter the IP address of CODC01.co.serveracademy.com

  4. Complete the wizard and confirm the new stub zone for co.serveracademy.com appears under Forward Lookup Zones.

  5. Open PowerShell ISE as Administrator and verify that SADC01 can resolve the other domain using Resolve-DnsName targeting co.serveracademy.com. Confirm you receive a valid response before moving on.

Expected Result

SADC01 should now be able to resolve DNS records for co.serveracademy.com. The stub zone should be visible under Forward Lookup Zones in DNS Manager.

Tip: If DNS resolution fails, double check that the IP address entered for the master DNS server is correct and that the firewall is not blocking port 53 between the two domain controllers.

  1. Click Check step to continue.

In this step you'll create a DNS stub zone on CODC01 that points back to SADC01, completing the DNS resolution in both directions.

Before You Begin

  • You are logged into CODC01.co.serveracademy.com as a Domain Admin
  • You have the IP address of SADC01.ad.serveracademy.com

Steps

  1. Open DNS Manager by clicking the Start menu and searching for DNS.

  2. In the left pane, expand your server and right-click Forward Lookup Zones, then select New Zone.

  3. Work through the New Zone Wizard selecting the following options:

    • Zone type: Stub Zone
    • Replication scope: replicate to all DNS servers in the forest
    • Zone name: ad.serveracademy.com
    • Master DNS server: enter the IP address of SADC01.ad.serveracademy.com

  4. Complete the wizard and confirm the new stub zone for ad.serveracademy.com appears under Forward Lookup Zones.

  5. Open PowerShell ISE as Administrator and verify that CODC01 can resolve the other domain using Resolve-DnsName targeting ad.serveracademy.com. Confirm you receive a valid response before moving on.

Expected Result

CODC01 should now be able to resolve DNS records for ad.serveracademy.com. With both stub zones in place, DNS resolution is working in both directions and you are ready to proceed to creating the trust in the next step.

Tip: If DNS resolution fails, double check that the IP address entered for the master DNS server is correct and that the firewall is not blocking port 53 between the two domain controllers.

  1. Click Check step to continue.

With DNS resolution confirmed in both directions, you can now create the forest trust. In this step you'll initiate the trust from SADC01 using the Active Directory Domains and Trusts console.

Before You Begin

  • You are logged into SADC01.ad.serveracademy.com

Steps

  1. Open Active Directory Domains and Trusts by clicking the Start menu and searching for Active Directory Domains and Trusts.

  2. In the left pane, right-click ad.serveracademy.com and select Properties.

  3. Click the Trusts tab, then click New Trust.

  4. Work through the New Trust Wizard selecting the following options:

    • Trust name: co.serveracademy.com
    • Trust type: Forest Trust
    • Direction of trust: Two-way
    • Sides of trust: Both this domain and the specified domain
    • When prompted for credentials, enter the credentials of a Domain Admin on CODC01.co.serveracademy.com
    • Outgoing trust authentication level: Forest-wide authentication
    • Incoming trust authentication level: Forest-wide authentication

  5. Complete the wizard and confirm both the incoming and outgoing trusts are created successfully.

  6. When prompted to confirm the outgoing and incoming trusts, click Yes, confirm the outgoing trust and Yes, confirm the incoming trust.

Expected Result

A two-way forest trust should now exist between ad.serveracademy.com and co.serveracademy.com. Both an incoming and outgoing trust should be visible under the Trusts tab in the properties of ad.serveracademy.com in Active Directory Domains and Trusts.

Tip: Having the credentials for a Domain Admin on CODC01 ready before starting the wizard will allow you to create and confirm both sides of the trust in a single pass without needing to switch between domain controllers.

  1. Click Check step to continue.