How to Configure Cross-Forest Trusts in Active Directory on Windows Server 2016

Introduction

Cross-forest trusts in Active Directory on Windows Server 2016 allow users in one AD forest to access resources in a completely separate forest, without merging the two domains. This is essential for mergers and acquisitions, partner organisation access, and multi-forest enterprise architectures. A two-way forest trust grants mutual access, while a one-way trust restricts access to one direction only. This guide covers creating, configuring, and maintaining cross-forest trusts with selective authentication.

Cross-Forest Trust vs. External Trust

A forest trust is transitive — it covers all domains in both forests automatically. An external trust is non-transitive and connects individual domains. Forest trusts require that both forests are at Windows Server 2003 forest functional level or higher, and that both forest root domains have network connectivity. External trusts are used when only specific domain pairs need to be connected. For most enterprise scenarios, forest trusts are preferred for their broader scope and Kerberos support.

Prerequisites and DNS Configuration

Before creating the trust, both forests must be able to resolve each other’s DNS names:

# On Forest A DNS server — create a conditional forwarder for Forest B
Add-DnsServerConditionalForwarderZone `
    -Name 'fabrikam.com' `
    -MasterServers @('10.1.0.10','10.1.0.11') `
    -ReplicationScope Forest

# On Forest B DNS server — create a conditional forwarder for Forest A
Add-DnsServerConditionalForwarderZone `
    -Name 'contoso.com' `
    -MasterServers @('10.0.0.10','10.0.0.11') `
    -ReplicationScope Forest

# Test DNS resolution from each forest
Resolve-DnsName 'fabrikam.com' -Server '10.0.0.10'
Resolve-DnsName 'dc01.fabrikam.com'
Resolve-DnsName 'contoso.com' -Server '10.1.0.10'

Verifying Network Connectivity

Forest trusts require multiple ports to be open between the forest root domain controllers:

# Required ports for cross-forest trusts
# TCP/UDP 88  - Kerberos
# TCP/UDP 135 - RPC Endpoint Mapper
# TCP 389/636 - LDAP/LDAPS
# TCP/UDP 445 - SMB (for netlogon)
# TCP 3268/3269 - Global Catalog
# TCP 49152-65535 - RPC Dynamic

# Test connectivity to Forest B DC
Test-NetConnection -ComputerName 'dc01.fabrikam.com' -Port 88
Test-NetConnection -ComputerName 'dc01.fabrikam.com' -Port 389
Test-NetConnection -ComputerName 'dc01.fabrikam.com' -Port 445

# Open required firewall ports if needed
New-NetFirewallRule -DisplayName 'Trust Kerberos' -Direction Inbound -Protocol TCP -LocalPort 88 -Action Allow
New-NetFirewallRule -DisplayName 'Trust LDAP' -Direction Inbound -Protocol TCP -LocalPort 389 -Action Allow

Creating the Forest Trust

Create the cross-forest trust from the Domain and Trusts MMC or using PowerShell:

# Create a two-way forest trust between contoso.com and fabrikam.com
# Run on a DC in contoso.com domain
$localCred = Get-Credential 'CONTOSOAdministrator'
$remoteCred = Get-Credential 'FABRIKAMAdministrator'

# Create the trust using netdom
netdom trust contoso.com /domain:fabrikam.com /twoway /add /userd:FABRIKAMAdministrator /passwordd:FabPassw0rd!

# Alternatively, using Active Directory module
$trust = New-Object System.DirectoryServices.ActiveDirectory.ForestTrustRelationshipInformation
# Use the AD Domains and Trusts MMC for GUI-based creation with transitive forest trust

Configuring Selective Authentication

Selective authentication prevents all trusted forest users from accessing resources — you must explicitly grant access to specific groups or users on specific servers:

# Enable Selective Authentication on the trust
netdom trust contoso.com /domain:fabrikam.com /enableselectiveauth

# Grant a Fabrikam group "Allowed to Authenticate" permission on a specific server
# This is done in Active Directory Users and Computers:
# Server computer object > Properties > Security > Add Fabrikam group > Allowed to Authenticate

# Via PowerShell using ACL manipulation
$serverDN = (Get-ADComputer 'FILE-SERVER01').DistinguishedName
$acl = Get-Acl "AD:$serverDN"
$fabrikamGroup = New-Object System.Security.Principal.NTAccount('FABRIKAMIT-Admins')
$rule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule(
    $fabrikamGroup,
    [System.DirectoryServices.ActiveDirectoryRights]::ExtendedRight,
    [System.Security.AccessControl.AccessControlType]::Allow,
    [GUID]'68b1d179-0d15-4d4f-ab71-46152e79a7bc'  # Allowed-To-Authenticate
)
$acl.AddAccessRule($rule)
Set-Acl "AD:$serverDN" $acl

Configuring Name Suffix Routing

Name suffix routing controls which UPN suffixes are routed across the trust:

# View current name suffix routing
netdom trust contoso.com /domain:fabrikam.com /namesuffixes

# Enable routing for a specific UPN suffix
netdom trust contoso.com /domain:fabrikam.com /namesuffixes:fabrikam.com /EnableSuffixes:fabrikam.com

Validating and Monitoring the Trust

# Validate the trust
netdom trust contoso.com /domain:fabrikam.com /verify

# Test Kerberos authentication across the trust
nltest /server:DC01.contoso.com /domain_trusts /all_trusts
nltest /sc_verify:fabrikam.com

# Check trust health event logs
Get-WinEvent -LogName 'System' -FilterXPath "*[System[Provider[@Name='NETLOGON'] and (EventID=5719 or EventID=5722)]]" -MaxEvents 20

Summary

Cross-forest trusts on Windows Server 2016 enable controlled access between separate Active Directory forests, supporting mergers, acquisitions, and partner access scenarios. With proper DNS forwarders, network connectivity, selective authentication, and name suffix routing, forest trusts provide secure, manageable cross-boundary access while maintaining isolation between the two forests’ administrative domains.