15.2 Cross-Forest Trust Relationships

Administrators must configure trust relationships manually to access resources in a different forests. Every trust relationship between each domain in the different forests must be explicitly configured.

15.2.1 Creating a Cross-forest Trust between Active Directory and Domain Services for Windows Forests

This section describes how to create a cross-forest trust between Active Directory and DSfW.

In this example, win2003ad.com is the domain name of the Active Directory forest and dsfw.com is the domain name of the DSfW forest.

Configuring the DNS Forwarders on the Domain Services for Windows Server

You need to configure a DNS forwarder on the DSfW DNS server to forward any DNS queries for the Active Directory domain to the Active Directory domain's DNS server.

  • Active Directory domain name: win2003ad.com

  • DSfW domain name: dsfw.com

  1. Open the Novell iManager DNS plug-in.

    1. Click DNS > Zone Management to open the Zone Management window in the main panel.

    2. Click DNS > Zone Management to open the Zone Management window in the main panel.

  2. From the drop-down list select Create Zone, then click OK to open the Create DNS Zone window.

  3. Select Create New Zone and specify the DNS configuration parameters as follows:

    1. Specify the eDirectory context for the zone or browse to select it; that is, the container containing the DNS related objects (In this example, it is OESSystemObjects.dsfw).

    2. Specify a name for the zone; that is, the domain name of the Active Directory forest (in this example, it is win2003ad.com).

    3. Select the Zone Type as Forward.

    4. Select a DNS server from the Assigned Authoritative DNS Server drop-down list. This is the name of the DNS server object. In this example, it is DNS_oes-dc-1.OESSystemObjects.dsfw. This parameter is optional.

    5. Click Create. A message indicates that the new forward zone has been created.

  4. Select Zone Management from the iManager DNS plug-in, then select View/Modify Zone from the drop-down list and click OK.

  5. Select Active Directory forest's domain zone from the drop-down list, then click OK.

  6. Click Next.

  7. Click Add.

  8. Select the Forward option, then specify the IP address of Active Directory forest's DNS server (in the example, it is 192.168.1.20). Click Add.

  9. Click Done.

  10. A message indicates that the new secondary zone has been created. Click OK.

  11. Restart DNS by using the rcnovell-named start command.

Configuring the Reverse Lookup Zone Forwarder

You need to configure a DNS reverse lookup zone for DSfW for a Windows domain.

  1. After selecting Zone Management from the iManager DNS plug-in, select the Create Zone option from the drop-down list. Click OK to open the Create DNS Zone window.

  2. Specify the DNS configuration parameters as follows:

    1. Select the Create IN-ADDR ARPA option as the Zone Type.

    2. Specify the network address. This is the IP address of the Active Directory forest's DNS server (in this example, it is 192.168.1.20).

    3. Select Forward as the Zone Type.

    4. Select a DNS server from the Assigned Authoritative DNS Server drop-down list. This is the name of the DNS server object (in this example, it is DNS_oes-dc-1.OESSystemObjects.dsfw).

    5. Click Create. A message indicates that the zone has been created.

  3. Select Zone Management from the iManager DNS plug-in, then select the View/Modify Zone option from the drop-down list and click OK.

  4. Select the Active Directory forest's reverse lookup zone from the drop-down list, then click OK.

  5. Click Next.

  6. Click Add to add this DNS server object.

  7. Select the Forward option and specify the IP address of Active Directory forest's DNS server (192.168.1.20 in this example). Click Add, then click Done.

  8. Select Forward List and click Add.

  9. A message indicates that a zone has been created. Click OK.

  10. Verify the DNS configuration by trying to resolve the Active Directory domain and its DNS SRV records using nslookup, as follows:

    nslookup -query=any _ldap._tcp.dc._msdcs.<AD domain name>

    For example:

          # nslookup -query=any _ldap._tcp.dc._msdcs.win2003ad.com

               Server: 192.168.1.10

               Address: 192.168.1.10#53

          Non-authoritative answer:

          ldap._tcp.dc._msdcs.win2003ad.com service = 0 100 389 osg-dtsrv22.

          win2003ad.com.

    
      Authoritative answers can be found from:

          osg-dt-srv22.win2003ad.com internet address = 192.168.1.20

Configuring the DNS Forward Lookup Zone on the Active Directory Server

To resolve the DSfW forest from the Active Directory forest, you must either create a forward lookup stub zone or a forwarder on the Active Directory forest's DNS server.

  1. At your Windows management workstation, click Start>Run, enter mmc in the text field and click OK.

    1. Click File>Add/Remove snap-in, click Add and select DNS snap-in, then click Add. Click Close to close the window and then click OK.

    2. Select the Forwarders tab, then click New and add a new forwarder for the DSfW domain. Specify the DSfW domain name and click OK.

    3. Select the new forwarder, specify the IP address of the DNS server of the DSfW domain, then click Add.

    4. Verify the DNS configuration by using nslookup to resolve the Active Directory domain and its DNS SRV records, as follows:

      nslookup -query=any _ldap._tcp.dc._msdcs.<DSfW domain name>

  2. Right-click Reverse Lookup Zones, select New Zone.

    1. Select Primary Zone. Deselect the Store the zone in Active Directory option.

    2. Specify the Network IP and click Finish. The zone is now created.

    3. Right-click the newly created zone to create a PTR record and enter the required details.

  3. If the Active Directory domain's Domain Functional Level is not Windows Server 2003, do the following to raise it:

    1. Open Active Directory Domains and Trusts snap-in from the MMC.

    2. Right-click the icon representing the Active Directory domain, select Raise Domain Functional Level from the menu, then set it to Windows Server 2003.

  4. If the Active Directory forest's Forest Functional Level is not Windows Server 2003, do the following to raise it:

    1. Right-click the Active Directory Domains and Trusts snap-in from MMC.

    2. Select Raise Domain Functional Level from the menu and set it to Windows Server 2003.

Creating the Trust

  1. At your Windows management workstation, click Start>Run, enter mmc in the text field and click OK.

  2. Click File>Add/Remove snap-in, click Add and select Active Directory Domains and Trusts snap-in, then click Add.

  3. Click Close, then click OK.

  4. Right-click the DSfW domain, then select Properties.

  5. Select New Trust from the Trusts tab, then click OK.

  6. Click Next to start creating a new trust.

  7. Specify the DNS name (or NetBIOS name) of the Active Directory forest, then click Next.

  8. Select Forest trust, then click Next.

  9. To select the direction of trust, do one of the following:

    • Click Two-way to create a two-way forest trust.

    • Click One-way:incoming to create a one-way incoming forest trust.

    • Click One-way:outgoing to create a one-way outgoing forest trust.

  10. Click Next.

  11. Select Both this domain and the specified domain and click Next.

  12. Specify the user name and password of the Active Directory domain administrator, then click Next.

  13. Select Forest-wide authentication to authorize users to use resources in the local forest or those identified by the administrator, then click Next.

  14. Select Forest-wide authentication to authenticate Active Directory forest users to use resources in the dsfw.com forest or those identified by the administrator, then click Next.

  15. Review the trust settings and complete the creation of trust by clicking Next.

  16. Click any option depending on your choice, then click Next.

  17. Click any option depending on your choice, then click Next.

    NOTE:In Step 16 and Step 17, if you select Yes option to confirm the trust, ensure that you validate the trust later by selecting Properties>Validate option.

  18. Complete the trust creation by clicking Finish.

  19. The new domain summary appears in the Trusts page.

Verifying the Trust

To verify that the DNS configuration is correct:

  1. Verify that the Log on to drop-down list in the Login window of a Windows machine that is joined to the Domain Services for Windows domain has an entry for the Active Directory domain.

  2. Try to log on to the Windows machine that is joined to the Domain Services for Windows domain with an Active Directory domain user principal name.

  3. Verify that the Log on to field in the Login window of a Windows machine that is joined to the Active Directory domain has an entry for the Domain Services for Windows domain.

  4. Try to log on to the Windows machine that is joined to the Active Directory domain with a Domain Services for Windows domain user principal name.

For more information, refer to the Microsoft Active Directory documentation.

15.2.2 Shortcut Trusts

DSfW supports shortcut trusts within a tree. The procedure to create and use a shortcut trust is similar to how shortcut trusts are created and used in Microsoft Active Directory. For more information on creating shortcut trusts, refer to the Administering Active Directory Operations Guide .