Scenario: You want to be able to use your domainA account to log in to domain B. I.e. you wan't domain B to trust domain A.
First thing, open firewall ports (both directions on all fw between the domains)
Kerberos 88 TCP & UDP
LDAP 389 TCP & UDP
LDAP GC 3268 TCP
LDAP GC SSL 3269 TCP
LDAP SSL 636 TCP
RPC 135 TCP
SMB 445 TCP & UDP
NetBIOS 137-139 TCP & UDP
WINS 1512 TCP & UDP
WINS Replication 42 TCP
make sure the DNS in the domain controllers for both domains are properly setup. The own domain shall be setup as a primary zone while the other shall be a secondary zone. and vice versa. Same thing for reverse lookup zones. Also make sure that the DNS zone for domain B has a folder named _msdcs. If not, restart netlogon, and run ipconfig /flushdns and ipconfig /registerdns.
Make sure the clocks are in sync, preferably syncronized to the same external time server.
Make sure RPC is working by entering "\\DC1.domainA.com" in explorer on a computer in domainB and vice versa.
Create trust
On a DC in domainA.
Administrative tools --> Active Directory Domains and Trust --> Right click domainA.com, choose Properties --> Tab Trusts --> Create new Trust --> enter DomainB.com -->
--> "External Trust" --> "One way incoming" --> "Both this domain and the specified domain" --> enter credentials for an account with administrator privileges in domainB --> "Domain-wide authentication" --> "Trust creation complete".
Validate Trust
Log on to a DC in domainB
Administrative tools --> Active Directory Domains and Trusts --> Right click DomainB.com and choose Properties --> tab Trusts --> mark domainA --> Validate.
Permissions
Permissions are not inherited between domains. This are solved by adding a domainA account to a domainB secureity group (for example the built in group "Administrators"). If you want to add a domainA account to a custom group in domainB, the group must be a security group of type "local", not "global".
Local admins
Even if you add a domainA account to the Administrators group in domainB, the account will not be local administrator on the computers in domainB. The only solution i now off is to manaulle make the DomainA account to local administrator on each server/host using a domainB or local account.
