Microsoft Document is suck...
This is another better testing procedure I found on the web.
1. On all DC's failure auditing must be enabled:
--> Policy -> Computer configuration -> windows settings -> security policy -> local policy -> auditing policy -> Audit Accountmanagement (failure and success)
2. On the destination and the source DC the following group policy should be configured simmilar:
--> Policy -> Computer configuration -> windows settings -> security policy -> local policy -> security options -> Network Security: LAN Manager Authentication
3. Both Domain Admins should be member of the BuiltIn Group Administrators in the other domain
4. Set the registry key hkey_local_machine\system\currnetcontrolset\control\lsa\tcpipclientsupport to 1 on the source dc
5. Disable SID Filtering with netdom.exe and commandline
-->On target dc:
netdom trust {FQDN of target domain} /domain:{FQDN of source domain} /enablesidhistory:yes
netdom trust {FQDN of target domain} /domain:{FQDN of source domain} /quarantine:no
-->On source dc:
netdom trust {FQDN of source domain} /domain:{FQDN of target domain} /enablesidhistory:yes
netdom trust {FQDN of source domain} /domain:{FQDN of target domain} /quarantine:no
6. On the source DC create a local security group in the domain
--> Name: NetBiosNameoftheDomain$$$$ for examble: subdomain$$$
7. gpupdate /force on both domains
8. Add the Domain Admins global group from the target domain to the Administrators local group in the source domain.
9. Test the trust in AD Domains and Trusts
No comments:
Post a Comment