How to establish trust between two AD domain which are on azure VM – Test lab senario

How to establish trust between two AD domain which are on azure VM?

you are here that means i am sure you must be looking solution to setup trust between two domain which are set up on azure for testing purpose.  i am going to explain step by step process to enable the trust between two ad domain.

Before you start – Considerations

1> you have two azure VM in same Vnet, no matter if they are in different resource group.

2> you must have 2 AD domain setup on azure VM (or may be on premises is also fine as far as you just want to setup trust). you must have domain admin credentials for both domains.

3> Ad domain  name can be .local

My LAb detail –  

1> i have 1 azure subscription with one Vnet and two resource group (2008AD and 2012AD), each VM is created in different resource group as below

VM name

Domain Vnet Resource group


AD2012.local AD


AD2008 AD2008.local AD


Lets get started – 

Step 1 – login to AD2008 and AD2012 VM’s and Make sure you have DNs conditional forwards set on both domain DNS to resolve each others record

Check if the target domain name getting resolved

Step 2 – Lets login to AD2008 and open active directory domain and trust” ->  right click on domain name and go to properties

step 3- Go to Trusts tab -> click on “New Trust”

step 4 – Enter the target domain name (FQDN)

step 5 – Select “trust type” base on your requirement , in our setup i am selecting forest trust..  please have look at – Windows Active directory Trust type and difference.

step 6 – Select trust direction , in our case we are selecting two way

Two-Way -> both domain/forest allow to access resources from each other

One-Way incoming ->user from this domain can access resources of target domain

One-Way Outgoing->user from target domain can access resources of this domain

step 7 – Select Sides of trust, if you select Both side then the trust will get created in both forest/domain but in that case you must have credentials of target domain/forest as well.

Step 8 – if you have selected both side then you must have to enter target AD credentials and then click on Next – >  then select authentication level for local forest

Forest-wide -> authentication all user for all resources over the trust

Selective – authentication selective users for any resources you you have to grant individual access to each domain and server after completion of this wizard

step 9 – select authentication level for target forest -> review all input and Finish.

Your lab is ready to do further testing like  How to sync on-premises Active Directory to Azure Active Directory with Azure AD Connect?


(Visited 1,295 times, 1 visits today)
One Comment

Add a Comment