Before we can start setting up selective authentication permissions, we first need to get a one-way trust established so target domain accounts can be cached on source workstations prior to cutover via Offline Domain Join. Below is a guide process to establishing a one-way trust between two organizations with selective authentication being used to limit target forest access.
This guide assumes you have already met all required DNS, Firewall and Network Connectivity Requirements for establishing a trust as most of these would already be in place in order to perform a successful Active Directory Migration:
Item |
Description |
Network Connectivity |
Ensure there is network connectivity established between Forest A and Forest B |
Firewall Ports |
Ensure these ports are unblocked between two forests, at network level : 53 TCP/UDP DNS 88 TCP/UDP Kerberos 389 TCP/UDP LDAP 636 TCP LDAP (SSL) 445 TCP SMB 135 TCP RPC Endpoint Mapper 1024-65535/TCP RPC for LSA, SAM, Netlogon (*)
|
Name Resolution |
Name Resolution should work between Forest A and Forest B. For that use conditional forwarder or stub zone. |
Access |
Membership of Enterprise Admin group is required. Alternatively, the Domain Admin of Forest Root Domain (or equivalent access through delegation) can create Forest Trust. |
From a Source Forest Domain Controller, launch Server Manager, using the Tools drop down menu select Active Directory Domain and Trusts.
In Active Directory Domain and Trusts, right click and choose Properties.
On the domain properties sheet, click on the Trusts tab.
Click on New Trust, on the Welcome to the Trust Wizard click Next.
On the Trust Name page, enter the name of the forest you want to establish the trust with, click Next.
On the Trust Type page click on External trust, click Next.
On the Direction of Trust page choose One-way: outgoing, click Next.
On the Sides of Trust page, in order to set the trust up for both domains you will need the administrative privileges or know the administrator account and password for both domains. In this example I will choose This Domain Only, click Next.
On the Outgoing Trust Authentication Level page, choose Selective authentication, click Next.
On the Trust Password page, enter a password that the administrators from both forests have agreed upon as the trust password, click Next.
On the Trust Selections Complete page click Next.
On the Trust Creation Complete page click Next.
On the Confirm Outgoing Trust page and the Confirm Incoming Trust page click Next. You will not be able to confirm the trust until the target side has been completed or if you are creating both relationships at the same time.
On the Completing the New Trust Wizard page click Finish.
On the Domain Properties page, click Apply.
Once the Forest Trust has been created you must have an administrator for the Target Forest complete the same process but for a one-way: incoming trust using the Password agreed upon when setting up the source side trust relationship.
Once both sides have been setup you can then Validate the relationship from the Source Forest Active Directory Domain and Trusts Properties view for the outgoing trust.
With our Active Directory Trust configured and validated we can now move to setting up selective permissions for Cache Credentials to work with Offline Domain Join.
© ALL RIGHTS RESERVED. Nutzungsbedingungen Datenschutz Cookie Preference Center