Trust between two forests (Using DNS stub zone)
注意
Please note that these steps were tried between two forests with root domain in Windows 2012R2 DC and the Forest functional level used is 2012.
For reference, the forests are named as Forest A and Forest B.
Configure the source DNS server to allow for zone transfers
These steps will be accomplished on both DNS Servers.
To forward lookup zone properties,
Launch the DNS console.
Click on the Forward Look Zone that you desire so configure.
Click on Properties.
Select the Zone Transfers tab.
Select Only to the following servers.
Click on Automatically notify and add the IP of the Forest B. Make sure the IP is resolved and the green check mark appears.
Click OK.
Configure a Stub Zone
These steps will be accomplished in both DNS servers.
To create a new forward lookup zone for Forest B in Forest A,
Launch the DNS Console.
Click on Forward Lookup Zone and choose New Zone.
In the Welcome to the New Zone Wizard, click Next.
Click on Next and select the Zone type.
In the next step, select To all DNS servers running on domain controller in this forest.
On the Zone Name page, enter the desired zone to transfer from, click Next.
Add the IP of Forest B DC and hit Enter. Make sure the IP is resolved.
Click Finish and perform the same steps in Forest B DNS for Forest A.
注意
nslookup should work from Forest A to Forest B and vice-versa without adding IPs of the domain in Host file.
Create a cross-forest trust
For Active directory domains and trust,
Go to property of root domain in Forest A. Navigate to Trusts tab and add a new trust.
Enter NetBIOS name of Forest B, on the next screen and enter the admin credentials for Forest B.
Select the Forest trust for trust type.
Select the Two-way direction for this trust.
For Outgoing Trust Authentication Level, select Domain-wide authentication.
Provide a trust password. This is required for creating the trust in Forest B.
Proceed with the wizard and complete it.