Penn State Mark Independent Active Directory forest trust to the Access Account Kerberos realm Information Technology Services
Windows Services Index | Overview | Design | How To | Resources | Policies | Troubleshooting | Contact Info.

 

How To: How to Setup a Direct Trust

Prerequisites

  1. A functioning Forest.
  2. An Enterprise admin account.
  3. A Domain Controller in the Root Domain.
  4. Apply for a direct trust and receive the trust password.
  5. Windows® Support Tools installed (located on the installation CD).

Step 1: Create the Trust

  1. Log on to the Domain Controller with your enterprise administrative account.
  2. Click Start &ndash>Run and enter domain.msc command.
  3. Click <OK>.

    4. Active Directory Domains and Trusts window

  4. Right-click the name of your rootdomain.
  5. Choose Properties.
  6. Click the Trusts tab.

    7. Trust Properties window

  7. Click <New Trust>.
  8. Click <Next>.
  9. Enter dce.psu.edu in the Name: field.

    10. New Trust Wizard - New Trust Name screen

  10. Click <Next>.
  11. Click the Realm Trust radio button.

    12. New Trust Wizard - Trust Type screen

  12. Click <Next>
  13. Click either the Transitive or the Nontransitive radio button. Click Transitive if you plan to have any child domains use the Realm Trust.

    14. New Trust Wizard - Transitivity of Trust screen

  14. Click <Next>.
  15. Click the One-way; outgoing radio button.

    16. New Trust Wizard - Direction of Trust screen

  16. Click <Next>.
  17. Enter the trust password supplied to you.

    18. New Trust Wizard - Trust password screen

  18. Click <Next>.
  19. Click <Next>.
  20. Review the information.
  21. Click <Finish>.
  22. Click <OK>.

Step 2: Setting the KDC Registry entries

  1. Run the Registry file, per the instructions noted in the Setting Up the Registry Entries for the K5 KDCs section of this site.

Step 3: Creating the Appropriate Skeleton Accounts

NOTE: Your organization will need to create and maintain skeleton or real accounts for anyone who needs to log in to your forest.

  1. Log in as a user with privileges to create user accounts.
  2. Click Start &ndash>Run and enter the dsa.msc command.
  3. Click <OK>.
  4. Choose Users.

    5. Active Directory Users and Computers - Advanced Features window

  5. Select View &ndash>Advanced Features

    6. Active Directory Users and Computers - Advanced Features window

  6. Right-click Users.
  7. Choose New->User.
  8. Fill in the appropriate data.
  9. After the user is created, right-click the user's name, listed in the right-side panel.
  10. Choose Name Mappings.
  11. Click the Kerberos Tab.

    12. Name Mappings pull-down menu window

  12. Click <Add>.
  13. Enter the username@dce.psu.edu (for example, xyz123@dce.psu.edu).

    14. Security Identity Mapping window

  14. Click <OK>.
  15. Click <OK>.

Test the Configuration

  1. To test the configuration, log in with the specified username (per the above; for example, xyz123@dce.psu.edu) and password (Penn State Access Account password).
  2. If you receive the message, "Local policy of this system does not permit you to log on interactively" or you are able to log on successfully, then the trust works.

The Pennsylvania State University ©2006. All rights reserved.
Alternative Media - Nondiscrimination Statement
This site maintained by Academic Services and Emerging Technologies, a unit of Information Technology Services.

Comments and suggestions may be directed to asetcomm@psu.edu.

Last revised: Friday, May 19, 2006.