正常情况下一个domain的机器或者账号只能在本domain使用，拿到另外一个domain是不受信任的。因为产品需求，调查了下如何让两个domain能互相认证，domain1的账号也能在domain2内正常使用。

Prepare two domains

Prepare two domain servers, for example: the first one Windows Server 2016, the second one Windows Server 2019.
Note: if you are using vm, please make sure they are cloned from different template. Two vms which clone from same template will share same SID even after you rename the computer. This will lead to error when create trust. Use the PSTool to get the SIDs of two servers, make sure they are different.
Rename them:
Windows Server 2016 -> DomainServer1
Windows Server 2019 -> DomainServer2
Upgrade DomainServer1 to domain server
- Go to Server Manager, select “Manage” -> “Add Roles and Features”
- Use default option “Role-based or feature-based installation”.
- Use default option “Select a server from the server pool”.
- Select checkbox “Active Directory Domain Services”
- Popup a confirm dialog, click “Add Features”
- It will take few minutes to complete installation.
- After install complete, click “Promote this server to a domain controller”.
- Select option “Add a new forest”, change domain name to “Updater1.domain”.
- Input password and confirm
- Will generate NetBIOS domain name automatically, keep default.
- Keep default setting, Next
- Will run prerequisites check, if all passed, click “Install”.
- After reboot, check the full computer name and domain name.
Similar steps to upgrade DomainServer2 to domain server.
After complete:
DomainServer1.Updater1.domain(10.224.106.208)
DomainServer2.Updater2.domain(10.224.110.245)

Create trust between domains

Ping each other, make sure the two servers can ping each other successfully.
Add second DNS Server
On DomainServer1:
- Go to Control Panel -> Network and Sharing Center
- Select your Ethernet connections, select property and config IPV4
- Input the second DNS ip address
  On DomainServer2, similar steps to config second DNS.
Create stub zone in DNS
On DomainServer1:
- Open Server Manager, Tools -> DNS
- Right click on “Forward Lookup Zones”, select “New Zone…”
- Select “Stub zone” and Next
- Select “To all DNS … forest”, Next
- Input domain name “Updater2.domain”.
- Input the ip address of Updater2.domain
- Display below success dialog.
- You should be able to successful ping Updater2.domain now.
On DomainServer2, similar steps to config DNS.
Create trust
On DomainServer1:
- Open “Server Manager”, select “Tools” -> “Active Directory Domains and Trusts”
- Right click on “Updater1.domain”, select “Properties”
- Go to “Trusts” tab, click “New Trust”.
- Input domain name: “Updater2.domain”, Next
- Select “Forest trust”, Next
- Select “Two-way”, Next
- Select “Both this domain and the specified domain”, Next
- Input the user name and password of Updater2.domain
- Select “Forest-wide authentication”
- Select “Forest-wide authentication”
- Next
- Select “Yes, confirm the outgoing trust”
- Select “Yes, confirm the incoming trust”
- Should display below success dialog.
- Could see the trusts have been created in outgoing and incoming.
- Go to DomainServer2, could see the trusts have been created automatically.