Create a Realm Trust
Applies To: Windows Server 2008
You can use Active Directory Domains and Trusts to create realm trusts.
Membership in Domain Admins or Enterprise Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).
Creating a realm trust
Using the Windows interface
Using a command line
To create a realm trust using the Windows interface
Open Active Directory Domains and Trusts. To open Active Directory Domains and Trusts, click Start, click Administrative Tools, and then click Active Directory Domains and Trusts.
In the console tree, right-click the domain that you want to administer, and then click Properties.
On the Trusts tab, click New trust, and then click Next.
On the Trust Name page, type the realm name for the target realm, and then click Next.
On the Trust Type page, select the Realm trust option, and then click Next.
On the Transitivity of Trust page, do one of the following:
To form a trust relationship with the domain and the specified realm, click Nontransitive, and then click Next.
To form a trust relationship with the domain and the specified realm and all trusted realms, click Transitive, and then click Next.
On the Direction of Trust page, do one of the following:
To create a two-way, realm trust, click Two-way.
Users in this domain and users in the specified realm will be able to access resources in either domain or realm.
To create a one-way, incoming realm trust, click One-way:incoming.
Users in the specified realm will not be able to access any resources in this domain.
To create a one-way, outgoing realm trust, click One-way:outgoing.
Users in this domain will not be able to access any resources in the specified realm.
Continue to follow the instructions in the wizard.
Additional considerations
- To perform this procedure, you must be a member of the Domain Admins group or Enterprise Admins group in Active Directory Domain Services (AD DS), or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure. For more information, search for "using run as" in Help and Support.
Additional references
To create a realm trust using a command line
Open a command prompt. To open a command prompt, click Start, click Run, type cmd, and click OK.
Type the following command, and then press ENTER:
netdom trust <TrustingDomainName> /d:<TrustedDomainName> /add /realm /PasswordT:<NewRealmTrustPassword>
Parameter | Description |
---|---|
netdom trust |
Manages or verifies trust relationships between domains. |
<TrustingDomainName> |
Specifies the Domain Name System (DNS) name of the trusting domain in the new realm trust. |
/d: |
Specifies that the DNS domain name that follows is a trusted domain. |
<TrustedDomainName> |
Specifies the DNS name of the domain that will be trusted in the new realm trust. |
/add |
Specifies that a trust be created. |
/realm |
Indicates that the trust is to be created to a non-Windows Kerberos realm. |
/PasswordT: |
Specifies the new trust password. This parameter is valid only if one of the domains specified is a non-Windows Kerberos realm. |
<NewRealmTrustPassword> |
Specifies the trust password for the new realm trust. This password must match the password that is used in the Kerberos realm. |
To view the complete syntax for this command, and for information about entering user account information, at a command prompt, type the following command, and then press ENTER:
netdom trust | more
Additional considerations
To perform this procedure, you must be a member of the Domain Admins group or Enterprise Admins group in AD DS, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure. For more information, search for "using run as" in Help and Support. You can verify shortcut trusts, external trusts, and forest trusts but not realm trusts.
You can use other parameters to assign a password or determine the direction of the trust. For example, to make the previous trust a two-way, transitive trust, use the following syntax:
netdom trust <TrustingDomainName> /d:<TrustedDomainName> /add /realm /twoway