Search | Directories | Reference Tools
UW Windows Infrastructure Service banner image
Skip Navigation LinksUW Home > Computing and Networking > Support > UW Domains > UW Windows Infrastructure > Setting up a Forest Trust

Setting up a Forest Trust to the
UW Windows Infrastructure

The first thing before setting up your forest trust to the UW Windows Infrastructure (UWWI) is submitting your request. You should expect a Windows challenge/response prompt and you should provide your UW NetID and password to that prompt, using the form NETID\username. Once your request is approved, you'll be contacted by a UW Technology representative who will work with you to get the forest trust relationship established.

To complete this process, you'll need to have the following:

  • Access to a user account in your local domain/forest that is a member of the Domain Admins or Enterprise Admins group
  • A current personal UW NetID that is eligible for basic services (such as a Homer or Dante account)
  • Approximately 15 minutes of free time

How to Set Up a Forest Trust

If you requested a forest trust, the UWWI account corresponding to the UW NetID specified in the trust request will be added to the 'Incoming Forest Trust Builders' in the UW Windows Infrastructure forest.  This will permit you to create the forest trust relationship without directly involving UW Technology engineering.  A UW Technology representative will contact you once this membership is ready.

To create a one-way, outgoing forest trust for both sides of the trust:

  1. Open Active Directory Domains and Trusts.
  2. In the console tree, right-click the domain that you want to establish a trust with, and then click Properties.
  3. On the Trusts tab, click New Trust, and then click Next.
  4. On the Trust Name page, type the Domain Name System (DNS) name of the domain, and then click Next.
    For the UW Windows Infrastructure, you'll enter: netid.washington.edu
  5. On the Trust Type page, click Forest trust, and then click Next.
  6. On the Direction of Trust page, click One-way: outgoing, and then click Next.
  7. On the Sides of Trust page, click Both this domain and the specified domain, and then click Next.
  8. On the User Name and Password page, use the following credentials:
    User name:  NETID\<the UW NetID used for the trust request>
    Password: <your UW NetID password>
  9. On the Outgoing Trust Authentication Level--Local Forest page, choose either Forest-wide authentication or Selective authentication, and then click Next.
  10. On the Trust Selections Complete page, review the results, and then click Next.  Windows will create the trust relationship in both your local forest and in the UW Windows Infrastructure.
  11. On the Trust Creation Complete page, review the results, and then click Next.
  12. On the Confirm Outgoing Trust page, click Yes, confirm the outgoing trust, and then supply the appropriate administrative credentials from the specified domain.
  13. On the Completing the New Trust Wizard page, click Finish.

Once you have completed these steps, inform the UW Technology engineer so we know that the process is complete. After that, your trust relationship should be working. You can now utilize UW Windows user accounts as you would a normal local domain user account.

Configuration Settings

At this time, you may want to review the group policies of the netid.washington.edu forest to ensure that your local configuration settings are compatible. Pay special attention to the LMCompatibilityLevel (known in group policy as Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network Security\Network Security: LAN Manager authentication level). UWWI policy only allows NTLMv1, NTLMv2, or Kerberos authentication. If your computer(s) don't allow and negotiate these authentication protocols (because they are configured not to, or have support issues that prohibit their use), then you will be unable to successfully authenticate and use the user accounts.

You can read more about this at:

What should my LmCompatibilityLevel settings be?
I can login on some computers but not others. Why is this happening?
I can login with my UWWI user account, but I can't access resources on a server even though I've granted that account access. What's wrong?

About Selective Authentication

By choosing 'selective authentication', users from the trusted domain are not members of the dynamic 'Authenticated Users' group. Administrators must explicitly grant the 'allowed to authenticate' permission on the AD computer object to the users/groups in the trusted domain for each computer object you want to allow those users to login to. While this can be a great option to limit where UW NetIDs can be used, such as a scenario where a student lab should have UW NetID access (but the rest of the domain shouldn't), it does comes with the cost of needing to explicitly allow their use on each individual computer.

The Windows Server TechCenter has a great description of how to do that:
Grant the Allowed to Authenticate permission on computers in the trusting domain or forest.