Just a quick note: In case you were not aware – netdom.exe cannot create a Forest trust (inbound or outbound). But you can leverage the S.DS namespace to automate this with a little powershell:
$targetForestName = “targetForest.local”
$trustPassword = “PassWord123!23”
$TrustDirection = “Outbound” # see http://msdn.microsoft.com/en-us/library/system.directoryservices.activedirectory.trustdirection.aspx
$Forest = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()
$Forest.CreateLocalSideOfTrustRelationship($targetForestName,$TrustDirection,$trustPassword)
or both sides:
$DirectoryContextForTargetForest= new-object
System.DirectoryServices.ActiveDirectory.DirectoryContext(“Forest”,”contoso.local”,”contoso\administrator”,”Password”)
$TargetForest =
[System.DirectoryServices.ActiveDirectory.Forest]::GetForest($DirectoryContextForTargetForest)
$Forest =
[System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()
$Forest.CreateTrustRelationship($TargetForest,”Bidirectional”)
Hope it helps someone
spat
Here’s one I wrote for our environment. We have a bunch of admin forests we create that need trusts with CORP. I don’t have elevated rights in CORP and the AD team does not have any accounts in our admin forest. We have to create one side of the trust and have the AD team create the second side of the trust. Side note, if a one-way trust exists and I need to turn it into a bidirectional, is my only option to delete the trust and recreate or is there some way I can modify it (perhaps something in UpdateLocalSideOfTrustRelationship)?
cls
function GetRandomPassword {
param
(
$length = 16,
$characters = ‘abcdefghkmnprstuvwxyzABCDEFGHKLMNPRSTUVWXYZ123456789’
)
$random = 1..$length | ForEach-Object { Get-Random -Maximum $characters.length }
$private:ofs=””
[String]$characters[$random]
}
$localforest=[System.DirectoryServices.ActiveDirectory.Forest]::getCurrentForest()
$trustpassword = GetRandomPassword
$trustingdomain = “contoso.com”
if ($localforest)
{
Write-Host “Connected to Local forest: $($localforest.Name)”
try
{
$localforest.CreateLocalSideOfTrustRelationship($trustingdomain,”Inbound”,$trustpassword)
Write-Host “CreateTrustRelationship: Succeeded for domain $trustingdomain”
}
catch
{
Write-Warning “CreateTrustRelationship: Failed for $trustingdomain`n`tError: $($($_.Exception).Message)”
}
}
$scriptoutput = @(‘
cls
$localforest = $null
$trustedforest = “|REPLACENAME|”
$localforest=[System.DirectoryServices.ActiveDirectory.Forest]::getCurrentForest()
if ($localforest)
{
Write-Host “Connected to Local forest: $($localforest.Name)”
try
{
$localforest.CreateLocalSideOfTrustRelationship($trustedforest,”Inbound”,”|REPLACEPASSWORD|”)
Write-Host “CreateTrustRelationship: Succeeded for domain $trustedforest”
}
catch
{
Write-Warning “CreateTrustRelationship: Failed for $trustedforest`n`tError: $($($_.Exception).Message)”
}
try
{
$localforest.SetSelectiveAuthenticationStatus($trustedforest,$true)
Write-Host “SetSelectiveAuthenticationStatus: Succeeded for domain $trustedforest”
}
catch
{
Write-Warning “SetSelectiveAuthenticationStatus: Failed for $trustedforest`n`tError: $($($_.Exception).Message)”
}
try
{
$localforest.SetSidFilteringStatus($trustedforest,$false)
Write-Host “SetSidFilteringStatus: Succeeded for domain $trustedforest”
}
catch
{
Write-Warning “SetSidFilteringStatus: Failed for $trustedforest`n`tError: $($($_.Exception).Message)”
}
}
else
{
Write-Warning “Failed to connect to local forest.`n`tError: $($($_.Exception).Message)”
}
‘)
$outputfilename = “Create-$($trustingdomain.Split(“.”)[0])_SideOfTrust.ps1″
$content = $scriptoutput.Replace(“|REPLACENAME|”,$localforest.Name).replace(“|REPLACEPASSWORD|”,$trustpassword)
$content | Out-File $outputfilename -Force