How to Configure a Forest Trust in Active Directory on Windows Server 2016

April 17, 2026
Tutorials
Comment off

How to Set Up Windows Server 2016 Forest Trust

A forest trust is a special type of trust relationship in Windows Server 2016 that establishes authentication and authorization between two complete Active Directory forests. Unlike domain trusts that connect individual domains, a forest trust connects all domains in both forests through a single trust relationship at the forest root level. Forest trusts are transitive within each forest, meaning users from any domain in the trusted forest can potentially access resources in any domain of the trusting forest, subject to access control permissions.

Forest trusts require both forests to be at the Windows Server 2003 or higher forest functional level and are commonly used in mergers and acquisitions, partner organization collaboration, and multi-forest enterprise architectures.

Step 1: Verify Forest Functional Levels

Forest trusts require both forests to be running at Windows Server 2003 or higher functional level. Check the forest functional levels:

Get-ADForest | Select-Object ForestMode, Name, RootDomain

Run this command in both forests. If either is below Windows2003Forest, raise it before proceeding. Ensure all domain controllers in both forests are running Windows Server 2003 or later first.

Step 2: Configure DNS Resolution Between Forests

Before creating a forest trust, both forests must be able to resolve DNS names in the other forest. Create conditional forwarders pointing to the root domain controllers of the remote forest. In forest1.com, create forwarders for forest2.com:

Add-DnsServerConditionalForwarderZone -Name "forest2.com" `
    -MasterServers 192.168.20.10, 192.168.20.11 `
    -ReplicationScope Forest

In forest2.com, create forwarders for forest1.com:

Add-DnsServerConditionalForwarderZone -Name "forest1.com" `
    -MasterServers 192.168.10.10, 192.168.10.11 `
    -ReplicationScope Forest

Verify DNS resolution from both forest root domain controllers:

Resolve-DnsName -Name "forest2.com" -Type SOA
Resolve-DnsName -Name "dc01.forest2.com"

Step 3: Verify Network Connectivity Between Forest Root DCs

Confirm that the required ports are open between the forest root domain controllers of both forests:

Test-NetConnection -ComputerName dc01.forest2.com -Port 88    # Kerberos
Test-NetConnection -ComputerName dc01.forest2.com -Port 135   # RPC Endpoint Mapper
Test-NetConnection -ComputerName dc01.forest2.com -Port 389   # LDAP
Test-NetConnection -ComputerName dc01.forest2.com -Port 445   # SMB/Netlogon
Test-NetConnection -ComputerName dc01.forest2.com -Port 3268  # Global Catalog

Step 4: Create the Forest Trust Using Active Directory Domains and Trusts

On a domain controller in the forest root domain of forest1.com, open Active Directory Domains and Trusts. Right-click the root domain (forest1.com) and select Properties. Click the Trusts tab, then New Trust.

Trust Name: forest2.com
Trust Type: Forest trust
Direction: Two-way
Sides of Trust: Both this domain and the specified domain
Outgoing Trust Authentication Level: Forest-wide authentication
Trust Password: (strong shared password coordinated with forest2.com admin)
Confirm outgoing trust: Yes
Confirm incoming trust: Yes

Step 5: Create the Forest Trust Using netdom

For scripted or automated deployments, use the netdom command from an elevated command prompt on the forest root domain controller:

netdom trust forest1.com /domain:forest2.com `
    /add /twoway /FORWARDABLE `
    /userD:forest2admin /passwordD:* `
    /userO:forest1admin /passwordO:*

Step 6: Verify the Forest Trust

After creating the trust, verify it from both forests:

netdom trust forest1.com /domain:forest2.com /verify

Use PowerShell to query the trust properties and confirm both directions are healthy:

Get-ADTrust -Filter {Name -eq "forest2.com"} |
Select-Object Name, Direction, TrustType, ForestTransitive, SelectiveAuthentication | Format-List

Step 7: Configure SID Filtering

SID filtering is enabled by default on external trusts and is recommended for security. It prevents users from the trusted forest from using SIDs from the trusting forest in their access tokens, which could be exploited for privilege escalation. For forest trusts, SID filtering (quarantine) can be enabled with:

netdom trust forest1.com /domain:forest2.com /quarantine:yes

Note: Enabling quarantine/SID filtering on a forest trust will prevent SID history from working across the trust, which may break some migration scenarios.

Step 8: Configure Name Suffix Routing

Forest trusts include name suffix routing, which controls which UPN suffixes, DNS names, and SPN suffixes can be routed across the trust. Verify and configure name suffix routing in Active Directory Domains and Trusts by viewing the trust properties and clicking the Name Suffix Routing tab.

To enable a specific UPN suffix for routing via PowerShell:

netdom trust forest1.com /domain:forest2.com /namesuffixes:forest2.com /togglesuffix:newdivision.forest2.com

Step 9: Test Cross-Forest Access

Verify that users from forest2.com can access resources in forest1.com as expected. Test with a specific user account:

runas /user:forest2.comtestuser /netonly "notepad.exe"

Forest trusts provide the most comprehensive inter-forest connectivity in Windows Server 2016. Combined with proper DNS configuration, SID filtering, and selective authentication, a well-configured forest trust enables secure collaboration between separate organizational forests while maintaining appropriate access control boundaries.