Configure DNS forwarding in the HGS _domain and a one-way trust with the fabric _domain

Applies to: ✅ Windows Server 2025, ✅ Windows Server 2022, ✅ Windows Server 2019, ✅ Windows Server 2016

Important

AD mode is deprecated beginning with Windows Server 2019. For environments where TPM attestation is not possible, configure host key attestation. Host key attestation provides similar assurance to AD mode and is simpler to set up.

Use the following steps to set up DNS forwarding and establish a one-way trust with the fabric ___domain. These steps allow the HGS to locate the fabric ___domain controllers and validate group membership of the Hyper-V hosts.

Run the following command in an elevated PowerShell session to configure DNS forwarding. Replace fabrikam.com with the name of the fabric ___domain and type the IP addresses of DNS servers in the fabric ___domain. For higher availability, point to more than one DNS server.
```
Add-DnsServerConditionalForwarderZone -Name "fabrikam.com" -ReplicationScope "Forest" -MasterServers <DNSserverAddress1>, <DNSserverAddress2>
```
To create a one-way forest trust, run the following command in an elevated Command Prompt:

Replace bastion.local with the name of the HGS ___domain and fabrikam.com with the name of the fabric ___domain. Provide the password for an admin of the fabric ___domain.
```
netdom trust bastion.local /___domain:fabrikam.com /userD:fabrikam.com\Administrator /passwordD:<password> /add
```

Next step

Configure HTTPS

Feedback

Was this page helpful?

Last updated on 2024-11-01

Configure DNS forwarding in the HGS ___domain and a one-way trust with the fabric ___domain

Next step

Feedback

Additional resources

Configure DNS forwarding in the HGS _domain and a one-way trust with the fabric _domain