Create an Active Directory Trust

Introduction

In my previous blogpost I described how to configure a Site-to-site Virtual Private Network (VPN) connection in Microsoft Azure. In this blogpost I will explain how to create an Active Directory (AD) trust. This particular trust will create the possibility for users in the external domain (on-premises) to authenticate in the Azure domain. This means an External One-way: outgoing trust should be created.

Step 1. Create a conditional forwarder.

A conditional forwarder is a setting on a DNS server in the network that will forward data traffic to other DNS servers outside their own network. The current example described the authentication of users from a local AD in Azure AD. For more information about forwarders, please visit https://technet.microsoft.com/en-us/library/cc730756(v=ws.11).aspx

To create a conditional forwarder first open the DNS Manager on a Windows Server Domain Controller and right-click on the Conditional Forwarders container and select “New Conditional Forwarder” as shown in Figure 1.

dns-manager

 

 

 

 

 

 

 

Figure 1. DNS Manager.

In the “New Conditional Forwarder” window enter the DNS name of the server to which the traffic has to be forward.

Next, add the IP addresses of all servers which can resolve queries for this domain.

Optionally, it is possible to check the “Store this conditional forwarder in Active Directory, and replicate it as follows”. This will store the conditional forward configuration in AD and replicates it to all the Domain Controllers that have the DNS server role installed, please see Figure 2.

new-conditional-forwarder

 

 

 

 

 

 

 

 

 

 

Figure 2. New Conditional Forwarder configuration.

Now click “OK” and the forwarder is saved (Figure 3).

conditional-forwader-saved

 

 

 

 

 

 

Figure 3. New Conditional Forwarder.

Step 2. Flush DNS cache.

In order to resolve the new DNS domain, the cache needs to be cleared. Open a “command prompt” with administrator privileges and type “ipconfig /flushdns” as presented in Figure 4.

flush-dns

 

 

 

 

 

 

Figure 4. Flush DNS command in an elevated command prompt.

Once the DNS cache has been cleared the domain can be resolved.

Step 2. Create the AD trust.

Open “Active Directory Domain and Trusts” and right-click on the domain in order to open the properties. Next, select the tab “Trusts” and click “New Trust…” (Figure 5).

domain-properties

 

 

 

 

 

 

 

 

 

 

Figure 5. Domain properties.

The New Trust Wizard will open (Figure 6) and click “Next”.

new-trust-wizard

 

 

 

 

 

 

 

 

 

Figure 6. Start window with the New Trust Wizard.

Subsequently, type the name of the domain and click “Next” (Figure 7). Note that this name should refer to the trust at which it has to be establish.

trust-name

 

 

 

 

 

 

 

 

 

 

Figure 7. Type in the Trust Name.

In the next step the trust type of interest should be selected. In the current example the trust has to be established from the local domain to the Azure domain, so therefore an “Forest trust” was used as shown in Figure 8. To complete the selection of the trust type, click “Next

trust-type

 

 

 

 

 

 

 

 

 

Figure 8. Select the trust type.

After selecting the trust type, select the direction of the trust type. In the current example the “Two-way” trust is the best suitable selection for the goal (authenticate in the Azure domain). Please see Figure 9 for details. To finish selecting the direction for the trust and click “Next”.

direction-of-trust

 

 

 

 

 

 

 

 

 

Figure 9. Select the direction of trust.

The trust can be created for “This domain only” which is relevant for the current example since it is not necessary to have privileges in both domains (see Figure 10). Select the preferred option and click “Next”.

sides-of-trust

 

 

 

 

 

 

 

 

 

Figure 10. Select the side of trust.

The outgoing trust level will be set to “Forest-wide authentication”. This ensures that users automatically authenticate from the specified domain in the local domain (Figure 11). After the level of authentication is selected click “Next”.

outgoing-trust-authentication-level

 

 

 

 

 

 

 

 

Figure 11. Define the trust authentication level.

Once the outgoing trust level is set, type in the trust password (Figure 12). Make sure it is secure enough and it meets the domain security policy. A combination of symbols, numbers, and uppercase and lowercase letters are allowed. Confirm the password and click “Next”.

trust-password

 

 

 

 

 

 

 

 

 

Figure 12. Trust password window.

Figure 13 provides a summary of the settings for the trust. To create the trust, click “Next” to continue.

trust-selections-complete

 

 

 

 

 

 

 

 

Figure 13. Summary of the trust wizard settings.

If everything went well the trust relationship has been created (Figure 14). Click “Next”.

trust-creation-complete

 

 

 

 

 

 

 

 

Figure 14. Status of the created trust.

In the “confirm outgoing trust” window it is possible to confirm the outgoing trust. To do so select “Yes, confirm the outgoing trust” and click “Next”. Please see Figure 15 for details. Be sure to confirm the trust only if the trust on the other domain is already created.

confirm-outgoing-trust

 

 

 

 

 

 

 

 

 

Figure 15. Option to confirm the outgoing trust.

In the “confirm Incoming trust” window it is possible to confirm the incoming trust. Select “No, do not confirm the incoming trust” and click “Next” (Figure 16).

confirm-incoming-trust

 

 

 

 

 

 

 

 

Figure 16. Option to confirm the incoming trust.

The final step in the wizard shows that the trust relationship was successfully created and confirmed as shown in Figure 17. Click “Finish” to end the configuration.

completing-the-new-trust-wizard

 

 

 

 

 

 

 

 

 

Figure 17. Complete new trust wizard.

The bridge has been built, now it’s time to let cars drive over it!

Advertisements

One thought on “Create an Active Directory Trust

  1. Excellent piece ! I loved the points ! Does anyone know where my assistant could get access to a fillable NY DTF DTF-5 document to fill in ?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s