Information Technology Reference
In-Depth Information
Configuring Forest Trusts
Configuring a forest trust is similar to creating a shortcut trust. The main consideration before
you begin is making sure DNS is configured correctly in both forest root domains. The follow-
ing are the three most common ways to configure DNS for a forest trust:
Conditional forwarders —As you learned in Chapter 9, a conditional forwarder forwards
all DNS requests for a domain to a DNS server specified in the conditional forwarder
record. Setting up a conditional forwarder is easy, but if the IP address on the DNS server
in the target domain changes, forwarding no longer works. With this method, you create
a conditional forwarder in the forest root domain pointing to a DNS server in the other
forest root domain. Do this in both forests involved in the trust.
Stub zones —Stub zones are much like conditional forwarders, except they're updated
dynamically if DNS servers' addresses change. The only real downside of stub zones is the
additional traffic created by replicating zone information, which is minimal. To use this
method, create a stub zone in the forest root domain of both forests pointing to the forest
root domain of the other forest.
Secondary zones —Creating a secondary zone for the purpose of configuring forest trusts is
probably overkill. With secondary zones, you need to configure zone transfers, which
causes more network traffic than with stub zones, especially if the primary zone's forest
root domain contains a lot of records. However, you might want to use secondary zones as
fault tolerance for the primary zone and to facilitate local hosts' name resolution for hosts
in the primary domain.
You can also configure a DNS server to act as the root server for the DNS namespaces of
both forests. On the root server, you must delegate the namespaces for each forest, and then con-
figure root hints on DNS servers in the two forests to point to the root server.
After DNS is configured and you can resolve the forest root domain of both forests from
both forests, you're ready to create the trust. The procedure is essentially the same as creating a
shortcut trust, but there are a few important differences. You must initiate the forest trust in
Active Directory Domains and Trusts from the forest root domain. After the New Trust Wizard
starts, follow these steps:
1. Specify the forest root domain of the target forest.
2. In the Trust Type window, Windows recognizes that the specified domain is a forest root domain
and gives you the option of creating an external trust or a forest trust (see Figure 10-12). Click
the Forest trust option button, and then click Next.
Figure 10-12
Creating a forest trust
 
Search WWH ::




Custom Search