Domain Trusts

Posted on 2007-10-05
Medium Priority
Last Modified: 2010-04-18
Do both PDC emulators have to see each other for a trust to work ? Why and is there a work around ?
Question by:atomicnetworks
1 Comment
LVL 30

Accepted Solution

LauraEHunterMVP earned 750 total points
ID: 20025976
The PDCe in the trusting domain (the domain with the resources in it, if it's only a one-way trust) needs to be accessible by any DC in the trusted domain (the domain with the people in it, again if it's only a one-way trust.)  If it's a two-way trust, you can see from this description that the PDCe in each domain needs to be accessible by any DC in the domain on the other side of the trust.  

As for the why, it's an implementation detail described here: http://technet2.microsoft.com/windowsserver/en/library/f5c70774-25cd-4481-8b7a-3d65c86e69b11033.mspx?mfr=true.  Basically, the password for the trust object in AD is changed internally by AD every 7 days, and this change is initiated by the PDCe in the trusting domain.

There is no workaround for this that I am aware of.

Featured Post

Restore individual SQL databases with ease

Veeam Explorer for Microsoft SQL Server delivers an easy-to-use, wizard-driven interface for restoring your databases from a backup. No expert SQL background required. Web interface provides a complete view of all available SQL databases to simplify the recovery of lost database

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question