Automate Forest trust creation


Just a quick note: In case you were not aware - netdom.exe cannot create a Forest trust (inbound or outbound). But you can leverage the S.DS namespace to automate this with a little powershell:

 

 

$targetForestName = "targetForest.local"

$trustPassword = "PassWord123!23"

$TrustDirection = "Outbound"   # see http://msdn.microsoft.com/en-us/library/system.directoryservices.activedirectory.trustdirection.aspx

$Forest  = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()

$Forest.CreateLocalSideOfTrustRelationship($targetForestName,$TrustDirection,$trustPassword)

 

or both sides:

 

 

$DirectoryContextForTargetForest= new-object
System.DirectoryServices.ActiveDirectory.DirectoryContext("Forest",”contoso.local”,"contoso\administrator","Password")

$TargetForest =
[System.DirectoryServices.ActiveDirectory.Forest]::GetForest($DirectoryContextForTargetForest)

 $Forest  =
[System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()

$Forest.CreateTrustRelationship($TargetForest,"Bidirectional")

 

Hope it helps someone

 

spat 

Comments (1)

  1. Woody says:

    Here’s one I wrote for our environment. We have a bunch of admin forests we create that need trusts with CORP. I don’t have elevated rights in CORP and the AD team does not have any accounts in our admin forest. We have to create one side of the trust and have the AD team create the second side of the trust. Side note, if a one-way trust exists and I need to turn it into a bidirectional, is my only option to delete the trust and recreate or is there some way I can modify it (perhaps something in UpdateLocalSideOfTrustRelationship)?

    cls

    function GetRandomPassword {
    param
    (
    $length = 16,
    $characters = ‘abcdefghkmnprstuvwxyzABCDEFGHKLMNPRSTUVWXYZ123456789’
    )

    $random = 1..$length | ForEach-Object { Get-Random -Maximum $characters.length }
    $private:ofs=””
    [String]$characters[$random]
    }

    $localforest=[System.DirectoryServices.ActiveDirectory.Forest]::getCurrentForest()
    $trustpassword = GetRandomPassword
    $trustingdomain = “contoso.com”

    if ($localforest)
    {
    Write-Host “Connected to Local forest: $($localforest.Name)”

    try
    {
    $localforest.CreateLocalSideOfTrustRelationship($trustingdomain,”Inbound”,$trustpassword)
    Write-Host “CreateTrustRelationship: Succeeded for domain $trustingdomain”
    }
    catch
    {
    Write-Warning “CreateTrustRelationship: Failed for $trustingdomain`n`tError: $($($_.Exception).Message)”
    }
    }

    $scriptoutput = @(‘
    cls

    $localforest = $null
    $trustedforest = “|REPLACENAME|”

    $localforest=[System.DirectoryServices.ActiveDirectory.Forest]::getCurrentForest()

    if ($localforest)
    {
    Write-Host “Connected to Local forest: $($localforest.Name)”

    try
    {
    $localforest.CreateLocalSideOfTrustRelationship($trustedforest,”Inbound”,”|REPLACEPASSWORD|”)
    Write-Host “CreateTrustRelationship: Succeeded for domain $trustedforest”
    }
    catch
    {
    Write-Warning “CreateTrustRelationship: Failed for $trustedforest`n`tError: $($($_.Exception).Message)”
    }

    try
    {
    $localforest.SetSelectiveAuthenticationStatus($trustedforest,$true)
    Write-Host “SetSelectiveAuthenticationStatus: Succeeded for domain $trustedforest”
    }
    catch
    {
    Write-Warning “SetSelectiveAuthenticationStatus: Failed for $trustedforest`n`tError: $($($_.Exception).Message)”
    }

    try
    {
    $localforest.SetSidFilteringStatus($trustedforest,$false)
    Write-Host “SetSidFilteringStatus: Succeeded for domain $trustedforest”
    }
    catch
    {
    Write-Warning “SetSidFilteringStatus: Failed for $trustedforest`n`tError: $($($_.Exception).Message)”
    }
    }
    else
    {
    Write-Warning “Failed to connect to local forest.`n`tError: $($($_.Exception).Message)”
    }

    ‘)

    $outputfilename = “Create-$($trustingdomain.Split(“.”)[0])_SideOfTrust.ps1″
    $content = $scriptoutput.Replace(“|REPLACENAME|”,$localforest.Name).replace(“|REPLACEPASSWORD|”,$trustpassword)
    $content | Out-File $outputfilename -Force

Skip to main content