1
00:00:01,440 --> 00:00:05,020
Now let's take a look at trust relationships. We're on my Windows 11

2
00:00:05,020 --> 00:00:08,100
workstation. I showed you how we can install the remote server

3
00:00:08,100 --> 00:00:11,230
administration tools from the optional features setting.

4
00:00:11,230 --> 00:00:14,200
Now that I've done that on this machine and I'm signed in with an

5
00:00:14,200 --> 00:00:18,450
enterprise admin credential, let me open up domain.msc.

6
00:00:18,450 --> 00:00:22,760
This is a shortcut to the Active Directory Domains and Trusts console. Because

7
00:00:22,760 --> 00:00:26,720
I'm signed into this workstation as an enterprise admin,

8
00:00:26,720 --> 00:00:30,350
I have full privileges to create trusts and full

9
00:00:30,350 --> 00:00:32,930
visibility across my environment here.

10
00:00:32,930 --> 00:00:36,890
You can see that my current context is rootdc2.timw.info,

11
00:00:36,890 --> 00:00:41,630
and I'm looking at my parent/child relationship here between

12
00:00:41,630 --> 00:00:44,480
timw.info and child.timw.info.

13
00:00:44,480 --> 00:00:48,210
We can inspect the trust relationships that were built for us by

14
00:00:48,210 --> 00:00:51,630
Azure by right‑clicking either of those domains and inspecting

15
00:00:51,630 --> 00:00:54,390
Properties and navigating to the Trusts page.

16
00:00:54,390 --> 00:00:58,240
We can see domains trusted by this domain are outgoing trusts.

17
00:00:58,240 --> 00:01:01,900
We have our built‑in child transitive trust, and note that you can view

18
00:01:01,900 --> 00:01:06,090
the properties. And if you have connectivity problems or permissions

19
00:01:06,090 --> 00:01:10,690
problems within a domain or across a trust, perhaps you can reset the

20
00:01:10,690 --> 00:01:14,510
trust relationship by looking at the properties of the trust and clicking

21
00:01:14,510 --> 00:01:16,260
Validate, as you can see here.

22
00:01:16,260 --> 00:01:19,350
Same thing applies for domains that trust this domain.

23
00:01:19,350 --> 00:01:23,430
We've got a transitive child trust coming from the child domain.

24
00:01:23,430 --> 00:01:25,140
This is how it works by default.

25
00:01:25,140 --> 00:01:28,390
We can do the same inspection at the child domain level if

26
00:01:28,390 --> 00:01:31,120
we wanted to. It's just these would be reversed. Now in

27
00:01:31,120 --> 00:01:33,900
terms of creating your own trusts, we can do that.

28
00:01:33,900 --> 00:01:39,500
Let's create a forest trust here between the timw.info forest root domain

29
00:01:39,500 --> 00:01:43,540
and my acq forest that I created a bit earlier today.

30
00:01:43,540 --> 00:01:46,680
Let's go to New Trust, and this kicks off the new trust wizard.

31
00:01:46,680 --> 00:01:48,390
Again, this dialog is really,

32
00:01:48,390 --> 00:01:52,160
really old. It asks us for the name of the domain forest or realm.

33
00:01:52,160 --> 00:01:55,970
Now I've also configured DNS resolution, so let's see if it's actually

34
00:01:55,970 --> 00:01:59,500
working. The name of the remote forest is acq.com.

35
00:01:59,500 --> 00:02:00,500
Let's click Next.

36
00:02:00,500 --> 00:02:04,030
Is going to be a realm trust with a non Active Directory

37
00:02:04,030 --> 00:02:05,840
Directory Services, in other words,

38
00:02:05,840 --> 00:02:10,140
a Kerberos V5 realm? Or are we trusting with the Windows domain,

39
00:02:10,140 --> 00:02:12,670
which is acq.com? That's what I want.

40
00:02:12,670 --> 00:02:15,340
We'll select Forest trust, and click Next.

41
00:02:15,340 --> 00:02:15,500
Oh,

42
00:02:15,500 --> 00:02:19,190
it just occurred to me here. The reason I'm able to connect across the two

43
00:02:19,190 --> 00:02:23,560
forests is that I've configured conditional DNS, so let me quickly show you

44
00:02:23,560 --> 00:02:28,270
that before I forget. Let me open up dnsmgmt.msc.

45
00:02:28,270 --> 00:02:28,970
As you can see,

46
00:02:28,970 --> 00:02:33,440
I really like to use the shorthand for the Microsoft Management Console.

47
00:02:33,440 --> 00:02:38,800
I'm going to specify the name of rootdc1.timw.info.

48
00:02:38,800 --> 00:02:42,500
And let me just show you in my forest root domain, I have

49
00:02:42,500 --> 00:02:45,530
a conditional forwarder defined that any requests to

50
00:02:45,530 --> 00:02:49,900
acq.com will go to 192.168.010.

51
00:02:49,900 --> 00:02:54,580
I've also configured a conditional forwarder in the acq.com forest

52
00:02:54,580 --> 00:02:59,540
that any requests to timw.info will go to rootdc1.

53
00:02:59,540 --> 00:03:00,580
So that allows that.

54
00:03:00,580 --> 00:03:03,720
I'm going to do two‑way, but you notice that we can do one‑way:

55
00:03:03,720 --> 00:03:06,570
incoming or one‑way: outgoing. And it tells us here,

56
00:03:06,570 --> 00:03:10,550
are we going to do just the one side of the trust or are we going to attempt

57
00:03:10,550 --> 00:03:15,290
to create a connection and trust relationship on the other forest from here?

58
00:03:15,290 --> 00:03:19,660
But we'll have to authenticate as an enterprise administrator on the remote

59
00:03:19,660 --> 00:03:23,170
side of the trust. It shouldn't be a problem, so let me select that. And now

60
00:03:23,170 --> 00:03:27,690
for that remote domain, I'm going to authenticate as an enterprise administrator.

61
00:03:27,690 --> 00:03:31,110
Let me carefully type my password here, and this is where we can

62
00:03:31,110 --> 00:03:34,110
choose the forest‑wide authentication versus selective.

63
00:03:34,110 --> 00:03:36,970
I'm going to go with Forest‑wide. But the idea is if you do

64
00:03:36,970 --> 00:03:40,660
selective authentication, you're then going to have to go to each

65
00:03:40,660 --> 00:03:45,200
domain controller and specifically grant individual access within

66
00:03:45,200 --> 00:03:47,140
the domain controllers of each domain.

67
00:03:47,140 --> 00:03:48,470
Let me quickly show you that.

68
00:03:48,470 --> 00:03:50,970
Let me open up dsa.msc.

69
00:03:50,970 --> 00:03:54,650
That's the Active Directory Users and Computers console, and we'll want to

70
00:03:54,650 --> 00:03:57,810
go to View. Make sure that Advanced Features is enabled.

71
00:03:57,810 --> 00:04:02,200
And let's say we wanted to allow selective authentication only in the root

72
00:04:02,200 --> 00:04:07,250
domain to rootdc2, so we would go to Properties, go to Security, and we

73
00:04:07,250 --> 00:04:11,960
would browse to across the forest trust to the remote forest, pick out a

74
00:04:11,960 --> 00:04:15,740
group, and make sure that we grant them the Allowed to authenticate

75
00:04:15,740 --> 00:04:19,240
permission. That is what's required when you enable selective

76
00:04:19,240 --> 00:04:21,760
authentication across your forest trust.

77
00:04:21,760 --> 00:04:24,030
It's going to be quite a bit more work for you to do.

78
00:04:24,030 --> 00:04:26,680
I'm going to go with Forest‑wide here, and we're going to do

79
00:04:26,680 --> 00:04:28,770
that for both directions of the trust.

80
00:04:28,770 --> 00:04:31,980
We can modify these trust properties later, of course.

81
00:04:31,980 --> 00:04:34,260
And then once we're ready, we can proceed.

82
00:04:34,260 --> 00:04:35,380
Do we want to confirm?

83
00:04:35,380 --> 00:04:36,120
Yes, I do.

84
00:04:36,120 --> 00:04:37,180
Let's click Next.

85
00:04:37,180 --> 00:04:39,230
I want to confirm actually both sides.

86
00:04:39,230 --> 00:04:42,730
We'll click Next, and then we click Finish, and we're good to go.

87
00:04:42,730 --> 00:04:46,680
We can review the trust relationship here, both directions.

88
00:04:46,680 --> 00:04:49,580
We can remove any of these trusts. We can look at the

89
00:04:49,580 --> 00:04:51,480
properties to reconfigure them.

90
00:04:51,480 --> 00:04:58,000
We can always come back and override the forest‑wide authentication if we want to or if we need to.