Getting ready

To use the selective authentication feature, both Active Directory forests on either side of the trust need to run the Windows Server 2003 FFL, or a higher forest functional level.

It is recommended that you sign in to the domain controller that is running the Domain Naming Master FSMO role, or connect the Active Directory Domains and Trusts console to this specific domain controller, by right-clicking in the console on the Active Directory Domains and Trusts node and selecting Change Active Directory Domain Controller… from the context menu.

To find this domain controller, right-click the Active Directory Domains and Trusts node and select the Operations Master… from the context menu. Alternatively, run the following command from any domain-joined device, member server, or domain controller:

netdom.exe query fsmo

Otherwise, you can use the following PowerShell commands on a domain-joined system that has the Active Directory module for Windows PowerShell installed:

Import-Module ActiveDirectory

Get-ADForest | Format-List DomainNamingMaster