How to Configure Windows Server 2016 Domain Trust Relationships
Domain trust relationships in Windows Server 2016 enable users in one domain to access resources in another domain without requiring separate accounts in each domain. Trusts define the authentication relationships between domains and forests, determining how Kerberos and NTLM authentication flows across domain boundaries. Properly configuring and securing trust relationships is fundamental to multi-domain and multi-forest enterprise environments.
Windows Server 2016 supports several types of trust relationships: parent-child trusts (created automatically within a domain tree), tree-root trusts (between tree roots in a forest), shortcut trusts (to optimize authentication paths), external trusts (between domains in different forests), forest trusts (between entire AD forests), and realm trusts (between AD and non-Windows Kerberos realms).
Step 1: Understand Trust Direction and Transitivity
Every trust has a direction and a transitivity setting. A one-way trust allows users in the trusted domain to access resources in the trusting domain. A two-way trust allows access in both directions. Transitive trusts extend authentication across the trust chain, while non-transitive trusts limit access to the two directly connected domains.
Domain A trusts Domain B (one-way):
Users in B can access resources in A
Users in A cannot access resources in B
Domain A Domain B (two-way, transitive):
All users can access resources in either domain
If Domain B also trusts Domain C, Domain A users can reach Domain CStep 2: Verify DNS Resolution Between Domains
DNS must be configured to resolve names in both domains before creating a trust. Configure conditional forwarders in each domain’s DNS to resolve the other domain:
Add-DnsServerConditionalForwarderZone -Name "remotedomain.com" `
-MasterServers 10.20.0.10, 10.20.0.11 `
-ReplicationScope DomainTest resolution from both sides before proceeding:
Resolve-DnsName -Name "remotedomain.com" -Type SOA
Resolve-DnsName -Name "dc01.remotedomain.com"Step 3: Verify Network Connectivity
Domain trusts require several ports to be open between the domain controllers of both domains. Verify connectivity before creating the trust:
Test-NetConnection -ComputerName dc01.remotedomain.com -Port 88 # Kerberos
Test-NetConnection -ComputerName dc01.remotedomain.com -Port 135 # RPC Endpoint Mapper
Test-NetConnection -ComputerName dc01.remotedomain.com -Port 389 # LDAP
Test-NetConnection -ComputerName dc01.remotedomain.com -Port 445 # SMB
Test-NetConnection -ComputerName dc01.remotedomain.com -Port 464 # Kerberos password changeStep 4: Create an External Trust Using the GUI
To create a trust using the Active Directory Domains and Trusts console, open it on a domain controller in the local domain. Right-click the domain name and select Properties, then click the Trusts tab. Click New Trust and follow the wizard:
Trust Name: remotedomain.com
Trust Type: External
Direction: Two-way (or one-way as required)
Sides of Trust: Both this domain and the specified domain
Outgoing Trust Authentication Level: Selective Authentication (recommended)
Trust Password: (enter a strong shared password)Step 5: Create a Trust Using PowerShell
For scripted deployments, create domain trusts using the netdom command-line tool:
netdom trust yourdomain.com /domain:remotedomain.com `
/add /twoway `
/userD:Administrator /passwordD:* `
/userO:Administrator /passwordO:*To create a one-way trust where your domain trusts the remote domain:
netdom trust yourdomain.com /domain:remotedomain.com /addStep 6: Verify the Trust
After creating the trust, verify it is functioning correctly using the Active Directory Domains and Trusts console or PowerShell:
netdom trust yourdomain.com /domain:remotedomain.com /verifyUsing PowerShell to query trust properties:
Get-ADTrust -Filter * | Select-Object Name, Direction, TrustType, DisallowTransivity | Format-Table -AutoSizeStep 7: Configure Selective Authentication
For external trusts, use Selective Authentication instead of forest-wide authentication to limit which users from the trusted domain can access resources. With Selective Authentication, administrators must explicitly grant the Allowed to Authenticate permission on specific resources:
$server = Get-ADComputer -Identity "fileserver01"
$acl = Get-Acl -Path "AD:$($server.DistinguishedName)"
$trustUser = New-Object System.Security.Principal.NTAccount("REMOTEDOMAINDomain Users")
$ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule(
$trustUser.Translate([System.Security.Principal.SecurityIdentifier]),
"ExtendedRight",
"Allow",
[System.Guid]"68b1d179-0d15-4d4f-ab71-46152e79a7bc"
)
$acl.AddAccessRule($ace)
Set-Acl -Path "AD:$($server.DistinguishedName)" -AclObject $aclStep 8: Remove a Trust
To remove a trust relationship when it is no longer needed:
netdom trust yourdomain.com /domain:remotedomain.com /remove /forceDomain trust relationships provide the foundation for cross-domain resource access in Windows Server 2016 environments. By combining proper DNS configuration, network connectivity, selective authentication, and regular trust verification, you can maintain secure and reliable access across domain and forest boundaries.
