Enable forest-wide authentication over a forest trust
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
The forest-wide authentication setting permits unrestricted access by any users in the trusted forest to all available shared resources in any of the domains in the trusting forest. This is the default authentication setting for forest trusts, and it is representative of the way authentications were routed — without restriction — over Windows 2000 Server trusts. For more information about the forest-wide authentication setting, see "Security Considerations for Trusts" in the Windows Server 2003 Technical Reference on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=35413).
You can enable forest-wide authentication over a forest trust by using the New Trust Wizard in Active Directory Domains and Trusts or by using the Netdom command-line tool. For more information about how to use the Netdom command-line tool to configure selective authentication settings, see "Netdom.exe: Windows Domain Manager" in the Windows Server 2003 Technical Reference on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=41700).
To complete this procedure, you must be a member of the Domain Admins group or the Enterprise Admins group in Active Directory.
To enable forest-wide authentication over a forest trust
Using the Windows interface
Open Active Directory Domains and Trusts.
In the console tree, right-click the forest root domain, and then click Properties.
On the Trusts tab, under Domains trusted by this domain (outgoing trusts), click the forest trust that you want to administer, and then click Properties.
On the Authentication tab, click Forest-wide authentication, and then click OK.
Only the authentication settings for the outgoing trust are displayed when you click Properties and then click the Authentication tab in Active Directory Domains and Trusts. To view the correct authentication settings for the incoming side of a two-way, forest trust, connect to a domain controller in the trusted domain (the forest root domain in the other forest), and then use Active Directory Domains and Trusts to view the authentication settings for the outgoing side of the same trust.