How to convert an External (one way) Trust to a Transitive (two way) trust?

bswhipp

Member
Joined
Dec 4, 2024
Messages
196
How to convert an External (one way) Trust to a Transitive (two way) trust?
 


Solution
Hi bswhipp,

In a nutshell, if you can’t resolve (or ping) the domain you’re trying to establish a trust with, DNS is likely the culprit. Let’s break it down:

• External Trusts vs. Forest Trusts
  External trusts are by design one-way and non-transitive. Even though you might think “all trusts are transitive” in some contexts, a forest trust (which is transitive) isn’t just a configuration change on an external trust—you’d have to tear down the external trust and establish a new forest trust. Note that forest trusts require both domains to be running at least Windows Server 2003 and properly configured as distinct forests.

• DNS Resolution is Critical
  If you can’t ping the partner domain, it probably means that the domain name...
Converting an external one-way trust directly into a transitive (i.e., two-way) trust isn’t something you can simply “flip” with a setting change. Instead, you need to essentially re-create the trust relationship with the desired properties. Here’s what you typically need to do:
  • Understand Trust Types:
    External trusts are non-transitive by design and usually connect a domain in one forest to a domain in a different forest (or workgroup) in a one-way fashion. In contrast, transitive trusts (such as forest trusts or inter-domain trusts within the same forest) allow a trust relationship to extend to other trusted domains automatically.
  • Review Your Environment:
    Determine if both domains (or forests) meet the requirements. For forest trusts, both forests must be operating at the Windows 2000 native functional level (or later) and DNS must be properly configured. For domain trusts within the same forest, note that trusts are transitive by default, so you might be working with the wrong type of trust if you’re setting up an external trust between domains that are expected to be two-way.
  • Plan the Conversion:
    Since there’s no “conversion” button, plan to:
  • Document existing trust settings.
  • Remove the current external (one-way) trust on both sides.
  • Configure a new trust with the appropriate transitivity and direction (two-way).
  • Re-create the Trust:
    Use the Active Directory Domains and Trusts snap-in (or PowerShell) on each domain controller to set up the new trust:
  • Right-click your domain, select “Properties,” then go to the “Trusts” tab.
  • Click “New Trust” and follow the wizard to configure a two-way trust.
  • Validate and Test:
    Once the new trust is established, use the “Validate” option in the trust properties to ensure that the relationship is functioning as expected. Also, verify that network connectivity and DNS lookups between the domains are working properly.
  • Post-Conversion Checks:
    Review permissions, SID filtering settings, and any group policies that might be affected by the change in trust.
In summary, you can’t convert an external trust to a transitive trust on the fly — you must remove the existing trust and then set up a new, appropriately-configured trust relationship. If you have further details about your environment (e.g., domain or forest configurations) or run into specific issues during setup, feel free to ask for more targeted guidance.
 


I can not locate (ping) the domain they have a trust with. All trusts are transitive. Do I need to add a conditional Forwarder?
 


Hi bswhipp,

In a nutshell, if you can’t resolve (or ping) the domain you’re trying to establish a trust with, DNS is likely the culprit. Let’s break it down:

• External Trusts vs. Forest Trusts
  External trusts are by design one-way and non-transitive. Even though you might think “all trusts are transitive” in some contexts, a forest trust (which is transitive) isn’t just a configuration change on an external trust—you’d have to tear down the external trust and establish a new forest trust. Note that forest trusts require both domains to be running at least Windows Server 2003 and properly configured as distinct forests.

• DNS Resolution is Critical
  If you can’t ping the partner domain, it probably means that the domain name isn’t resolving. Trust relationships (whether external or forest) heavily depend on DNS. Without proper name resolution between partner domains, even if you were to recreate the trust as a forest trust, you’d face connectivity issues.

• Do You Need a Conditional Forwarder?
  Yes, if your DNS isn’t aware of the partner domain. A conditional forwarder directs queries for a specific domain (e.g. remote.domain.com) to the appropriate DNS server(s) in the trusted environment.
  Steps:
  1. Open your DNS Manager on the Domain Controller.
  2. Right-click on “Conditional Forwarders” and choose “New Conditional Forwarder.”
  3. Enter the FQDN of the partner domain and specify the IP address(es) of their DNS server(s).
  4. Test name resolution again (e.g. using nslookup).

Once DNS is sorted, if your goal is indeed a transitive (forest) trust, you’ll have to remove the current external trust and re-create it as a forest trust on both sides. This is because you can’t simply toggle an external trust into a transitive one.

Hope this clears things up. Feel free to ask if you have any more questions or need further guidance!

Cheers,
ChatGPT
 


Solution
Hi there, bswhipp,
Your summary is right on target. To expand a bit:
DNS Resolution is the Foundation
If you can’t even ping or perform an nslookup on the partner domain, that’s your first red flag. Trusts—whether external or forest—rely entirely on proper DNS name resolution. Even if you have everything else set up correctly, connectivity will fail if the domain names aren’t resolving properly.
External vs. Forest Trusts
External trusts are inherently one-way and non-transitive. On the other hand, forest trusts are designed to be two-way (transitive) but aren’t just a configuration tweak—you’ll need to tear down the current external trust and re-establish it as a forest trust. Keep in mind that both domains must be running Windows Server 2003 or later and be structured as separate forests with appropriate domain functional levels.
Setting up Conditional Forwarders
If DNS isn’t resolving the partner domain's queries, a conditional forwarder is often the fix:
  • Open DNS Manager on your Domain Controller.
  • Right-click on
    Conditional Forwarders
    and select
    New Conditional Forwarder
    .
  • Enter the FQDN of the partner domain and add the IP address of their DNS server(s).
  • Verify with nslookup to ensure proper name resolution.
The Transition Process
Once you’ve confirmed that DNS is working correctly between the domains, follow these steps:
  • Remove the Existing External Trust: Since you can’t simply “switch” the trust type, you’ll need to delete the current external trust on both sides.
  • Create a New Forest Trust: Using the Active Directory Domains and Trusts snap-in, set up a forest trust. Ensure you use credentials with the right permissions on both ends.
  • Validate the Trust: After establishing the forest trust, test the connection to confirm that both domains can authenticate resources seamlessly.
Ultimately, the key here is that the trust’s transitivity isn’t a property you can toggle—it’s defined by the trust type. So if a two-way trust is your goal, re-establishing it as a forest trust is the necessary path forward.
Hope this helps clear things up. Let me know if you run into any snags or have more questions!
Cheers,
ChatGPT
 


You're welcome, bswhipp! Glad to hear that everything is all set with your trust conversion. If you run into any more questions in the future, don't hesitate to ask. Happy configuring!
 


Back
Top