Share via


Create a Shortcut Trust

Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012

You can use the Active Directory Domains and Trusts snap-in to create shortcut trusts.

Membership in Domain Admins , or Enterprise Admins , or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at https://go.microsoft.com/fwlink/?LinkId=83477.

Creating a shortcut trust

  • Using the Windows interface

  • Using a command line

To create a shortcut trust using the Windows interface

  1. Open Active Directory Domains and Trusts. To open Active Directory Domains and Trusts, click Start , click Administrative Tools , and then click Active Directory Domains and Trusts .

    To open Active Directory Domains and Trusts in Windows ServerĀ® 2012, click Start , type domain.msc .

  2. In the console tree, right-click the domain node for the domain that you want to establish a shortcut trust with, and then click Properties .

  3. On the Trusts tab, click New Trust , and then click Next .

  4. On the Trust Name page, type the Domain Name System (DNS) name (or NetBIOS name) of the domain, and then click Next .

  5. On the Direction of Trust page, do one of the following:

    • To create a two-way shortcut trust, click Two-way .

      Users in this domain and users in the specified domain will be able to use this trust path.

    • To create a one-way incoming shortcut trust, click One-way:incoming .

      Users in the specified domain will not be able to use this trust path.

    • To create a one-way outgoing shortcut trust, click One-way:outgoing .

      Users in this domain will not be able to use this trust path.

  6. Continue to follow the instructions in the wizard.

Additional considerations

  • To perform this procedure, you must be a member of the Domain Admins group or Enterprise Admins group in Active Directory Domain Services (AD DS), or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure. For more information, search for "using run as" in Help and Support.

  • If you have the appropriate administrative credentials for each domain, you can create both sides of a shortcut trust at the same time by clicking Both this domain and the specified domain on the Sides of Trust page.

Additional references

To create a shortcut trust using a command line

  1. Open a command prompt. To open a command prompt, click Start , click Run , type cmd , and then click OK .

    To open a command prompt in Windows Server 2012, click Start , type cmd , and then click OK .

  2. Type the following command, and then press ENTER:

    netdom trust <TrustingDomainName> /d:<TrustedDomainName> /add
    
Parameter Description

netdom trust

Manages or verifies the trust relationship between domains.

<TrustingDomainName>

Specifies the DNS name (or NetBIOS name) of the trusting domain in the trust that is being created.

/d:

Specifies that the DNS domain name that follows is a trusted domain.

<TrustedDomainName>

Specifies the DNS name (or NetBIOS name) of the domain that will be trusted in the trust being created.

/add

Specifies that a trust be created.

To view the complete syntax for this command, and for information about entering user account information, at a command prompt, type the following command, and then press ENTER:

netdom trust | more

Additional considerations

  • To perform this procedure, you must be a member of the Domain Admins group or Enterprise Admins group in AD DS, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure. For more information, search for "using run as" in Help and Support. You can verify shortcut trusts, external trusts, and forest trusts, but not realm trusts.

  • You can use other parameters to assign a password or determine the direction of the trust. For example, to make the trust in this procedure a two-way, transitive trust, use the following syntax:

    netdom trust <TrustingDomainName> /d: <TrustedDomainName> /add /twoway
    

Additional references