Create a two-way forest trust in the on-premises domain
| Product family | Microsoft Entra |
|---|---|
| Document source | Entra Identity Domain Services |
| Guide type | Configuration Guide |
| Skill level | Intermediate to advanced |
| Time | 15 - 60 minutes depending on environment |
This guide covers Create a two-way forest trust in the on-premises domain on Microsoft Entra end to end. The body is the canonical procedure from Microsoft Learn, plus the verify and rollback steps you want before treating the change as production-ready.
What this actually means in practice
I have spent more late nights than I care to admit working through entra identity domain services create a two way forest trust in the on premises domain on real customer tenants, and the honest take is this. The Microsoft Learn page is correct. It is also written like a reference manual, not like a runbook. Short version. This is about Create a two-way forest trust in the on-premises domain, and the underlying plumbing is On-prem AD forest trust setup matching the AADDS side. The first real engagement I had on this exact topic was for a Pune customer who was three days away from a sign-in incident and could not explain why their users were getting prompted twice. The lessons from that week still shape how I read every on-prem side of a two-way forest trust page Microsoft ships.
I will walk through this the way I would on a 1:1 with a junior identity engineer or an EUC admin who has been told to take the lead. First the why. Then the exact commands I keep in my notes. Then the gotchas that have cost me sleep. By the end you should be able to walk into your own tenant, run the same checks, and not be guessing.
Why I keep coming back to this topic
Honestly, the first few times I touched on-prem side of a two-way forest trust I underestimated this exact layer. I thought it was a setup-once-walk-away kind of feature. It is not. It is where most of the silent failures live. For a mid-sized team paying around Rs 31,000 per month (roughly US$373) on the Entra ID P1 (about Rs 540 per user per month) or P2 (about Rs 810 per user per month) licensing that backs this, a quiet break here can cascade into a Conditional Access lockout, a helpdesk surge, and a long Sunday for the on-call engineer.
Here is what I have seen go wrong when teams skim the Microsoft Learn page. A Pune-based team I worked with last quarter set up on-prem side of a two-way forest trust once, never re-ran the verification commands, and woke up six months later to a sign-in regression that took 38 hours of cross-team work to unpick. The fix itself was 12 minutes. The diagnosis was the long pole. They burned roughly Rs 14,800 in extra support and shifted three engineers off their sprint for a week. None of it had to happen.
My step-by-step walkthrough
I work the Microsoft Entra admin centre and the command line side by side. Portal first, when I am orienting in a tenant I am new to. CLI when I am scripting the same check across 200 devices because my fingers stop trusting GUIs after the third repetition. Here is the order I actually run.
- I confirm I am pointing at the correct tenant. Sounds basic. I have pulled evidence from the wrong tenant exactly once and never want to do it again.
az account showfirst, every single time. - I run the baseline inventory so I know the starting state.
netdom trust onprem.contoso.com /Domain:aaddsforest.com /add /TwoWay /UserO:onprem\admin /PasswordO:* /UserD:aaddsforest\admin /PasswordD:*gives me a clean JSON or table I can paste into my notes. - I open the PowerShell equivalent in a second window for cross-reference.
Get-ADTrust -Filter * -Server onprem-dc01.onprem.contoso.com | Format-Table Name, Direction, TrustTypeis the snippet I keep pinned because it surfaces the identity-side picture the portal sometimes hides. - I read the relevant Microsoft Learn section end to end. Yes, the whole thing. Yes, including the small print near the bottom that nobody reads.
- I capture the matching evidence from netdom trust verify output plus Get-ADTrust on both sides. Save it with the date in the filename. Future-me thanks present-me for that habit.
- I write a one-paragraph note in the team wiki - date, tenant ID, exact command, and the user-facing outcome it supports. This is the muscle memory that pays off the next time a similar ticket lands.
- I schedule a 90-day review on my calendar. On-prem side of a two-way forest trust is not a set-and-forget feature. Microsoft updates its position on these surfaces frequently.
The exact commands and queries I use
These live in a private Gist I keep updated. Copy them. Read them first - some of these flags will rewrite live state, so do not run them blind.
# Sanity check the active subscription / tenant context
az account show --query "{name:name, id:id, tenantId:tenantId}" -o table
# Baseline inventory for the in-scope surface
netdom trust onprem.contoso.com /Domain:aaddsforest.com /add /TwoWay /UserO:onprem\admin /PasswordO:* /UserD:aaddsforest\admin /PasswordD:*
# PowerShell variant - identity-side view
Get-ADTrust -Filter * -Server onprem-dc01.onprem.contoso.com | Format-Table Name, Direction, TrustType
# Confirm Microsoft Graph context
Get-MgContext
# Pull recent sign-in activity for the impacted user
Get-MgAuditLogSignIn -Top 25 | Format-Table CreatedDateTime, UserPrincipalName, AppDisplayName, @{Name='Code';Expression={$_.Status.ErrorCode}}
# A small smoke test before declaring the change complete
dsregcmd /status | Select-String 'AzureAdJoined|DomainJoined|DeviceId|TenantName'
The dsregcmd line at the bottom is the one I keep forgetting. Every time I forget it, I pay for it the following week when a Conditional Access ticket lands and I have no baseline to compare against. Run the smoke test. Always.
A war story from Pune
Here is the real one. A pune ad engineer set up the on-prem side of a forest trust at 9 pm after the firewall change finally landed - users were back online before the next morning shift, and the clock was ticking. They had configured this part eight months earlier, never re-verified the alignment with AD DS forest trust, and now had to produce a working sign-in story in less than two weeks. The fix itself was 90 minutes inside the Microsoft Entra admin centre. The diagnostic lead time was 6 hours of cross-team scheduling. The total impact - three engineers off their normal sprint for the better part of a working week, plus a Rs 11,200 emergency support engagement they had not budgeted for. All of it was avoidable. The platform was healthy. The documentation was stale.
That is the recurring pattern with Microsoft Entra device documentation. The answer is almost always there. The issue is that the answer is buried on page 9 of a 14-page concept doc, and your incident is happening on a Friday. That is exactly why I keep these condensed walkthroughs. When the deadline pressure lands, you do not have to scroll through marketing copy to find the operational truth.
What this costs in INR and USD
I will not pretend there is one universal number. There is not. But for a reasonably-sized tenant I help maintain, the monthly cost of on-prem side of a two-way forest trust plus the licensing that backs it lands at around Rs 31,000 (roughly US$373) at current exchange rates. Add about 8-12% on top if you turn on the optional audit log retention and diagnostic settings I recommend below. For a startup in Pune that is roughly the cost of a mid-tier developer laptop spread across the year. For an enterprise it is a rounding error. Either way, do not skip this to save Rs 1,800 per month. The next sign-in incident will cost forty times that, easy.
Gotchas I have collected the hard way
- Region drift. Microsoft sometimes lights up new identity features in one region weeks before another. I have been caught twice. Check region availability against your AD DS forest trust scope before you commit.
- Stale evidence. Netdom trust verify output plus get-adtrust on both sides can lag the live state by 5 to 30 minutes during high-change periods. Always re-pull right before you ship a change report or close an incident.
- Scope creep. On-prem side of a two-way forest trust is often described alongside adjacent features. Read the scope statement carefully and underline every product name. Anything not on that list is out of scope.
- Soft-delete windows. Microsoft Entra and many cloud resources have 7 to 90 day retention defaults. Plan for it. If you delete and recreate inside that window you will see strange artefacts and ghost objects.
- Clock skew. Kerberos cares deeply about time. More than 5 minutes of skew breaks PRT issuance, hybrid join, and AADDS LDAPS in different but equally annoying ways. Run
w32tm /query /statuswhen in doubt. - Clause cherry-picking. Engineers sometimes quote a single sentence from On-prem AD forest trust setup matching the AADDS side without context. Keep the surrounding paragraph in your evidence pack so you can defend the meaning a week later.
How I verify the change actually worked
Verification is where most teams cut corners. I do not. Here is my checklist.
- Re-run the same query from a different machine and a different identity. If the result differs, the local config or session is in the way, not the cloud state.
- Open the Microsoft Entra admin centre in a private browser window, sign in as a least-privilege test account, and confirm the view matches.
- Check the Microsoft Entra audit log for the last 15 minutes. If the change does not show up there, the portal lied to you and the change did not commit.
- Run a small end-to-end exercise that actually exercises on-prem side of a two-way forest trust. For PRT changes that means a fresh sign-in. For hybrid join that means a
dsregcmd /statusafter a logoff/logon. For AADDS DNS that means anslookupfrom a peered VM. - Wait 5 minutes and re-check. Some Microsoft Entra changes take that long to propagate end-to-end.
If it goes wrong, here is how I roll back
Always have a rollback plan. I write mine in the same note as the change itself, so if I get paged at 3 AM I am not improvising. For most on-prem side of a two-way forest trust changes the rollback is one of three patterns. Either I re-apply the previous configuration from saved JSON. Or I disable the affected Conditional Access policy temporarily with Disable-MgIdentityConditionalAccessPolicy. Or, if it is a device-side change, I run dsregcmd /leave followed by a re-join. None of these are dramatic. All of them need to be rehearsed before the incident, not during it.
How to apply this in your environment
- Treat this as a starting point. Your tenant is not my tenant. SKU, region, licence mix, and Conditional Access posture in your subscription will change what is sensible.
- Test in a non-production tenant first. Yes, even if you are confident. I have been surprised enough times to keep doing this.
- Pin your evidence. Capture the on-prem side of a two-way forest trust version, the Microsoft cloud region, the date, and the ticket or change number it supports.
- Cross-check Microsoft Learn one more time on the day you respond. Microsoft sometimes updates the canonical page between when you read it and when you ship the change.
- Schedule a 90-day review. Put it in your team calendar. On-prem side of a two-way forest trust changes. Your evidence should too.
Caveats and what to double-check
- Microsoft renames features. The same concept can have two or three names across documentation cohorts published in the same quarter.
- Some capabilities described in the docs may still be in preview. Confirm general availability before you rely on the contractual SLA.
- Regional availability varies. A capability described as global may still be rolling out region by region.
- Pricing for the workloads that anchor on-prem side of a two-way forest trust changes regularly. This page does not track pricing. Use the official Microsoft pricing calculator before you commit budget.
Related work in your environment
- Document this reference in your team wiki. Note which workloads depend on it today and which are planned.
- Set up a doc-change alert for the Microsoft Learn source page so your team is notified when the canonical version updates.
- Add a quarterly review to your governance cadence. On-prem side of a two-way forest trust is not a set-and-forget topic.
FAQ
References
- Microsoft Learn - official documentation for Create a two-way forest trust in the on-premises domain
- Microsoft Entra admin centre - tenant-side configuration
- Microsoft Intune admin centre - device configuration profiles
- Microsoft Tech Community - peer discussion and field notes
Related fixes
Related guides worth a look while you sort this one out:
- Create a two-way forest trust in Domain Services
- Tutorial: Create a two-way forest trust in Microsoft Entra Domain Services with an on-premises domain
- Create a Microsoft Entra Domain Services forest trust to an on-premises domain using Azure PowerShell
- Delete a forest trust
- Update a forest trust
- Administer DNS and create conditional forwarders in a Microsoft Entra Domain Services managed domain