Setting up a Domain Trust to the
UW Windows Infrastructure
To complete this process, you'll need to have the following:
- Access to a user account in your local domain/forest that is a member of the Domain
Admins or Enterprise Admins group
- A nearby telephone (for security reasons, we won't send the trust relationship passwords
through e-mail)
- Approximately 20 minutes of free time
To create a one-way, outgoing, external trust for one side of the trust
- Open the Active Directory Domains and Trusts administrative tool.
- In the console tree, right-click the domain that you want to establish a trust with,
and then click Properties.
- On the Trusts tab, click New Trust, and then click
Next.
- On the Trust Name page, type the DNS name of the domain, and then
click Next.
For the UW Windows Infrastructure, you'll enter: netid.washington.edu.
- On the Trust Type page, click External trust,
and then click Next.
- On the Direction of Trust page, click One-way: outgoing, and then
click Next.
- On the Sides of Trust page, click This domain only, and then click
Next.
- On the Outgoing Trust Authentication Level page, choose either Domain-wide
authentication or Selective authentication,
and then click Next
- On the Trust Password page, carefully type the trust password twice, and
then click Next. (The UW Technology engineer will provide you with this password
over the phone.)
- On the Trust Selections Complete page, review the results, and then click
Next.
- On the Trust Creation Complete page, review the results, and then click
Next.
- On the Confirm Outgoing Trust page, click Yes, confirm the outgoing trust.
The new trust will be confirmed and verified. UW Technology can not verify the trust without
a domain admin account and password in your domain.
- On the Completing the New Trust Wizard page, click Finish.
Once you have completed these steps, please inform the UW Technology engineer so we know
that the process is complete. After that, your trust relationship should be working.
You can now utilize UW Windows user accounts as you would a normal local domain
user account.
Configuration Settings
At this time, you may want to review the group policies of the netid.washington.edu
forest to ensure that your local configuration settings are compatible. Pay special
attention to the LMCompatibilityLevel (known in group policy as Computer Configuration\Windows
Settings\Security Settings\Local Policies\Security Options\Network Security\Network
Security: LAN Manager authentication level). UWWI policy only allows NTLMv1, NTLMv2, or Kerberos
authentication. If your computer(s) don't allow and negotiate these authentication
protocols (because they are configured not to, or have support issues that prohibit
their use), then you will be unable to successfully authenticate and use the user
accounts.
You can read more about this at:
What
should my LmCompatibilityLevel settings be?
I can login on some computers but not others. Why is this
happening?
I can login with my UWWI user account, but I can't access resources on a server
even though I've granted that account access. What's wrong?
About Selective Authentication
By choosing 'selective authentication', users from the trusted domain are not members
of the dynamic 'Authenticated Users' group. Administrators must explicitly grant
the 'allowed to authenticate' permission on the AD computer object to the users/groups
in the trusted domain for each computer object you want to allow those users to
login to. While this can be a great option to limit where UW NetIDs can be used,
such as a scenario where a student lab should have UW NetID access (but the rest
of the domain shouldn't), it does comes with the cost of needing to explicitly allow
their use on each individual computer.
The Windows Server TechCenter has a great description of how to do that:
Grant the Allowed to Authenticate permission on computers in the trusting domain
or forest.