In this guide, we shall discuss how to create a two-way Active Directory Trust. A two-way trust will be created between these domains. This means that the two domains will be able to share their resources with each other. Please, see [AZURE] MSSQL Creating a new Azure SQL Database (PaaS), [AZURE] Restore MSSQL Server on Azure Virtual Machines Using Azure Backup, and MSSQL Server Error 833: A Synthesis of Real-World Case Studies.

Active Directory Trust Port Prerequisites

Network connectivity must be ensured between the domain controllers of all involved domains. In addition, servers and other resources in the Resource domain must be able to communicate with the domain controllers in the Accounts domain.

DNS name resolution must be configured so that domain controllers in each domain can resolve DNS records for the other domain’s Active Directory environment.

An account that is a member of the Domain Admins group is required in each domain to create and complete a two-way trust.
Alternatively, an account that is a member of Enterprise Admins (if the domains are in the same forest) has the necessary privileges across all domains in the forest.
If the domains belong to different forests, credentials with Domain Admin privileges are still required in both forests to create and confirm the trust on each side.

Relevant operational notes:

A two-way trust requires the creation and confirmation of the trust on both domains.
Standard user accounts (Domain Users) are not sufficient.
Custom delegation is theoretically possible. But not recommended and is rarely used in production environments due to increased complexity and operational risk.

In conclusion, the minimum and recommended requirement is Domain Admin privileges on both domains (or Enterprise Admin where applicable).

	Contoso.local	fabrikam.local
Nome server AD	fab-dc01 – fab-dc02	fab-dc01 – fab-dc02
Nome NetBIOS AD SERVER	contoso	fabrikam
IP Address	10.0.0.1 – 10.0.0.2	10.223.10.14 – 10.223.10.15
O.S.	Windows Server 2019	Windows Server 2019
Server DNS	cont-dc01 – cont-dc02	fab-dc01 – fab-dc02
IP DNS	10.223.0.1 – 10.223.0.2	10.223.10.14 – 10.223.10.15

To begin, we should configure the DNS to allow each respective domain to resolve the other.

Please, see Pull and Push Commvault Images to Azure Container Registry, [AZURE] Security Service Edge (SSE) and Microsoft Entra ID, and how to Install SQL Server Always On & Configure Veeam Plug‑in for SQL.

Create DNS Conditional forwarders

To do this, we need to create a conditional forwarding server so that contoso.local can resolve dogcorp.local and vice versa. Now we will configure fabrikam.local.

Create DNS Conditional forwarder on contoso.local Domain

Verify DNS connectivity

Check dns resolution

Perform the same configuration on the fabrikam.local domain by creating the DNS conditional forwarder for the contoso.local domain.

Please, see “The security database on the server does not have a computer account for this workstation trust relation [Part 1]“, Active Directory Forest – Trees and Domain and Sites, and “There was an error opening the Trusted Platform Module snap-in: You do not have permission to open the Trusted Platform Module Console“.

Two-Way trust creation

Please, follow the steps below to create a two way trust.

Select “Forest trust”

Please, select “Two-way”

Here, select “Both this domain and the specified domain”

Use a dedicated domain account for both forests

Select “Forest-wide authentication”

Trust selections complete

This domain: contoso.local 
Specified domain: fabikam.local
Direction:
Two-way: Users in the local domain can authenticate in the specified domain and users in the specified domain can authenticate in the local domain.
Trust type: Forest trust
Transitive: Yes
Outgoing trust authentication level: Forest-wide authentication in local and specified forests.
Sides of trust: Create the trust for both this domain and the specified domain.

If the trust wizard fails, the DNS conditional forwarder for the source domain (contosol.local) has probably not been created in the target domain (fabrikam.local)