Creating a shortcut trust relationship between two separate Windows Domains

Overview

A requirement may arise where two separate domains in separate forests require a trust setup for cross-domain authentication.

A shortcut trust can be used to achieve this however it does require a few more steps than just creating the trust in Active Directory Domains and Trusts

I have prepared a quick guide on how to achieve this. In the example we are going to use two servers which are domain controllers on two separate domains; MELSRV with the I.P of 192.168.0.10 on the Southtransport.local domain and SYDSRV with the I.P of 192.168.20.10 on the Easttransport.local domain 

DNS Zones, Forwarding and Networking

For Southtransport domain controllers to resolve the network of Easttransport and vice versa. Local DNS needs to be resolving the other domain correctly and it's recommended that Southtransport.local and Easttransport.local are on a different subnets which have all the required firewall rules for communication. In this example Easttransport.local located in Sydney is on the 192.168.20.x subnet and Southtransport.local located in Melbourne is on the 192.168.0.x subnet.

For DNS setup, It is best to use a secondary zone instead of  a forwarder or conditional forwarder. Forwarders don't seem to work to well when doing this type of trust.

In this example we have chosen to add Easttransport.local as a secondary zone on the DNS server of Southtransport.local and vice versa. Note that you will have to enable Zone Transfers for it to pull down a secondary zone. 

We also have verified that SYDSRV.Easttranstport.local can be resolved and contacted from MELSRV.

Creating Trusts

On the Easttransport.local domain, open Active Directory Domains and Trusts. Ensure you have domain admin credentials for Southtransport.local handy.

1. Select Easttransport.local, go to properties and then go to the Trusts tab. 
2. Select New Trust. Add the FQDN name of Southtransport.local. 
3. Click next, select External trust then select next. select Two way for the trust type. 
4. Click next and select This domain only.
5. Click next and enter a common password to be used for the trust. Click Next and click Yes to confirm the trust.
6. Enter the domain credentials for Southtransport.local. click next through the prompts. You should get a message stating the the trust relationship was successfully created and confirmed.
7. If you can an error stating that the trust could not be created, repeat the same steps on Southtransport.local by adding the trust for Easttransport.local with the same password. Then go back to Easttransport.local then to properties and select the general tab and you should be able to validate the trust.

Allowing Users to Login from the other domain

We have a user from South Transport named James Khan who needs to login to a machine at East Transport but he is unable to.
Users may still not be able to login as they still need to be added to the 'Allow logon locally' policy setting enabled.

On the Easttransport.local domain, we can add SOUTHTRANSPORT\Domain Users so they can login. It is best practice to create a separate group for them e.g. SOUTHTRANSPORT\Allowed Easttransport Users and put it in a separate workstation GPO. In this example we will create a new GPO with domain users from Southtransport and Easttransport.

When this is done, restart the workstations and James Khan from Southtransport.local should be able to login to an Easttranstport.local computer.