Question regarding Setting Up a One-Way Forest Trust between Windows Server 2012 R2 and Windows Server 2019

Question

Hello All,

I want to set up a one-way forest trust between Domain A and Domain B. I had two questions on how to set this up.

1. Would there be any compatibility issues if one Domain Controller (Domain A) is running Windows Server 2012 R2 and the other Domain Controller (Domain B) is running Windows Server 2019?
2. I am confused with the terminology of inbound and outbound when setting up a one-way trust. I want domain A to be able to access the forest in domain B, but I don't want domain B to have any access or make any changes to domain A. Would Domain A be the Outbound trust and Domain B the Incoming trust?

Thank you for all of your help!

Answer 1

Hello @Patrick ,

Thank you for posting here.

Here are the answers for your references.

Q1: Would there be any compatibility issues if one Domain Controller (Domain A) is running Windows Server 2012 R2 and the other Domain Controller (Domain B) is running Windows Server 2019?
A1: Forest trusts require that each forest be configured to run at the Windows Server 2003 forest functional level or higher. Forest trusts can be bidirectional or unidirectional.

So if the forest functional level with Windows Server 2012 R2 and the forest functional level with Windows Server 2019 is equal or higher than 2003, then we can set up forest trust.

Q2: I am confused with the terminology of inbound and outbound when setting up a one-way trust. I want domain A to be able to access the forest in domain B, but I don't want domain B to have any access or make any changes to domain A. Would Domain A be the Outbound trust and Domain B the Incoming trust?
A2:

I want domain A to be able to access the forest in domain B=> that means Domain B trusts Domain A

Domain A outbound (outgoing)
Domain B inbound (incoming)

but I don't want domain B to have any access or make any changes to domain A => that means Domain A does not trust Domain B

For example:

Hope the information is helpful. If anything is unclear, please feel free to let us know.

Best Regards,
Daisy Zhou

Answer 2

One-way and two-way trusts
Trust relationships enable access to resources can be either one-way or two-way.

A one-way trust is a unidirectional authentication path created between two domains. In a one-way trust between Domain A and Domain B, users in Domain A can access resources in Domain B. However, users in Domain B can't access resources in Domain A.

Some one-way trusts can be either non-transitive or transitive depending on the type of trust being created.

In a two-way trust, Domain A trusts Domain B and Domain B trusts Domain A. This configuration means that authentication requests can be passed between the two domains in both directions. Some two-way relationships can be non-transitive or transitive depending on the type of trust being created.

All domain trusts in an AD DS forest are two-way, transitive trusts. When a new child domain is created, a two-way, transitive trust is automatically created between the new child domain and the parent domain.

Check the functional level to the both forests and domains.

Windows Server 2019

There are no new forest or domain functional levels added in this release.

The minimum requirement to add a Windows Server 2019 Domain Controller is a Windows Server 2008 functional level. The domain also has to use DFS-R as the engine to replicate SYSVOL.

Mark as ansered if this post was helpful