Chat now with support
Chat with Support

On Demand Migration Current - Active Directory Offline Domain Join Credential Cache Quick Start Guide

Configuring an Active Directory Trust

Before we can start setting up selective authentication permissions, we first need to get a one-way trust established so target domain accounts can be cached on source workstations prior to cutover via Offline Domain Join. Below is a guide process to establishing a one-way trust between two organizations with selective authentication being used to limit target forest access.

DNS and Firewall Port Requirements

This guide assumes you have already met all required DNS, Firewall and Network Connectivity Requirements for establishing a trust as most of these would already be in place in order to perform a successful Active Directory Migration:

Item

Description

Network Connectivity

Ensure there is network connectivity established between Forest A and Forest B

Firewall Ports

Ensure these ports are unblocked between two forests, at network level : 

53   TCP/UDP  DNS

88   TCP/UDP  Kerberos

389  TCP/UDP  LDAP

636  TCP      LDAP (SSL)

445  TCP      SMB

135  TCP      RPC Endpoint Mapper

1024-65535/TCP RPC for LSA, SAM, Netlogon (*)

 

Name Resolution

Name Resolution should work between Forest A and Forest B. For that use conditional forwarder or stub zone. 

Access

Membership of Enterprise Admin group is required. Alternatively, the Domain Admin of Forest Root Domain (or equivalent access through delegation) can create Forest Trust.

Trust Creation

  1. From a Source Forest Domain Controller, launch Server Manager, using the Tools drop down menu select Active Directory Domain and Trusts.

Active Directory domain trusts forest level trust in Windows Server

  1. In Active Directory Domain and Trusts, right click and choose Properties.

  1. On the domain properties sheet, click on the Trusts tab.

  2. Click on New Trust, on the Welcome to the Trust Wizard click Next.

  1. On the Trust Name page, enter the name of the forest you want to establish the trust with, click Next.

  1. On the Trust Type page click on External trust, click Next.

  1. On the Direction of Trust page choose One-way: outgoing, click Next.

  1. On the Sides of Trust page, in order to set the trust up for both domains you will need the administrative privileges or know the administrator account and password for both domains. In this example I will choose This Domain Only, click Next.

this domain only forest level trust in Windows Server

  1. On the Outgoing Trust Authentication Level page, choose Selective authentication, click Next.

  1. On the Trust Password page, enter a password that the administrators from both forests have agreed upon as the trust password, click Next.

trust password forest level trust in Windows Server

  1. On the Trust Selections Complete page click Next.

  2. On the Trust Creation Complete page click Next.

  3. On the Confirm Outgoing Trust page and the Confirm Incoming Trust page click Next. You will not be able to confirm the trust until the target side has been completed or if you are creating both relationships at the same time.

  4. On the Completing the New Trust Wizard page click Finish.

  5. On the Domain Properties page, click Apply.

  1. Once the Forest Trust has been created you must have an administrator for the Target Forest complete the same process but for a one-way: incoming trust using the Password agreed upon when setting up the source side trust relationship.

  2. Once both sides have been setup you can then Validate the relationship from the Source Forest Active Directory Domain and Trusts Properties view for the outgoing trust.

Configuring Authentication Permissions

With our Active Directory Trust configured and validated we can now move to setting up selective permissions for Cache Credentials to work with Offline Domain Join.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating