Microsoft KB Archive/309682

= HOW TO: Set up a One-Way Non-Transitive Trust in Windows 2000 =

PSS ID Number: 309682

Article Last Modified on 4/1/2004

-

The information in this article applies to:


 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Server
 * Microsoft Windows NT Server

-



This article was previously published under Q309682



IN THIS TASK

 * SUMMARY
 * ** Configure a One-way Trust
 * Create a One-Way Trust from a Windows NT 4.0 Domain to a Windows 2000 Domain



SUMMARY
Windows 2000 domains in the same forest share transitive trust relationships with one another. There is an implicit transitive trust between the root domains in each tree in the Windows 2000 forest. A two-way implicit transitive trust also exists between all contiguous domains in a single tree.

There may be times when you need to create explicit trust relationships between domains. One example is a trust between a Microsoft Windows NT 4.0 and a Windows 2000 domain. Windows NT 4.0 cannot participate in transitive trust relationships with Windows 2000 domains. Another example is when you need domains in disparate forests to trust one another.

Windows 2000 allows you to configure one-way transitive trusts between domains. A one-way transitive trust is especially helpful when you want to run Microsoft Proxy Server 2.0 or Microsoft Internet Security and Acceleration (ISA) Server 2000 in a forest outside of the production forest. A one-way trust from the firewall domain to the production domain allows accounts on the internal domain to be trusted by the external domain, but does not allow external domain accounts to be trusted by the production domain. This article describes how you can set up the one-way non-transitive trust between domains.

back to the top

Configure a One-way Trust
Perform the following steps to configure the one-way trust:
 * 1) On a domain controller in the trusted domain, start the Active Directory Domains and Trusts console.
 * 2) In the Domains that trust this domain pane, click Add.
 * 3) In the Add Trusting Domain dialog box, type the name of the trusting domain, type a password, and then type the password again in the Confirm password box.
 * 4) Click OK.
 * 5) In the Active Directory dialog box, click OK to verify the trust.
 * 6) Enter a user name and password of a user that has permissions to modify trust relationships in the trusting domain.

You receive a message that states that the trusting domain has been added and the trust verified.
 * 1) Quit the Active Directory Domains and Trusts console.
 * 2) On a domain controller in the trusting domain, start the Active Directory Domains and Trusts console.
 * 3) Right-click the trusting domain and click Properties.
 * 4) In the Domains trusted by this domain box, click Add.
 * 5) In the Add Trusted Domain dialog box, type the name of the trusted domain and a password, and then type the password again in the Confirm Password dialog box.
 * 6) Click OK.

NOTE: The DNS infrastructure must be in place so that domain controllers from each domain can find one another. You can configure Windows NT 4.0 domain trusts by using Windows NT 4.0 User Manager for Domains.

back to the top

Create a One-Way Trust from a Windows NT 4.0 Domain to a Windows 2000 Domain

 * 1) Add the Windows NT 4.0 domain as a trusting domain in the Windows 2000 Domains and Trusts console as described in steps 1 to 8 in the preceding section.
 * 2) Start User Manager for Domains on a Windows NT 4.0 domain controller.
 * 3) On the Policies menu, click Trust Relationships.
 * 4) In the Trusted Domains pane, click Add.
 * 5) In the Add Trusted Domain dialog box, type the trusted domain in the Domain box, type a password for the trust in the Password text box, and then click OK.

back to the top

Keywords: kbHOWTOmaster KB309682

Technology: kbwin2000AdvServ kbwin2000AdvServSearch kbwin2000Search kbwin2000Serv kbwin2000ServSearch kbWinAdvServSearch kbWinNTsearch kbWinNTSsearch

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© 2004 Microsoft Corporation. All rights reserved.