[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now



Posted on 2007-10-19
Medium Priority
Last Modified: 2010-05-27
Can you steer a Active Directory 2 way Trust (windows 2003) so that all trust traffic handels between only 1 DC' on every side. I have  5 DC's on every side but I want only one server on each side to handle all Trust traffic.

Question by:AkisT
LVL 51

Accepted Solution

Netman66 earned 1000 total points
ID: 20108093
Yes you can.

In fact, trusts between two 2003 Forests must be create between the two Root Servers in each Forest.

If you are simply trying to create Trusts between two sub-domains in two forests then the PDCE for each sub-domain is where you want this created and it will contain the trust traffic - however, domains within each forest have implicit 2-way trusts so you are effectively trusting much more than you expect.

As long as your ACE's are properly configured there is a measure of security there.

LVL 10

Expert Comment

ID: 20108097
You can configure a preferred bridgehead server so that all replication traffic goes through that DC.

LVL 30

Assisted Solution

LauraEHunterMVP earned 1000 total points
ID: 20108098
The trust relationship will be managed by the PDC Emulator on each side of the trust.  That said, it does not prevent clients/servers on either side from contacting an alternate DC in the trusted/trusting domain based on site configuration/availability/etc.  

As a general rule, all DCs in each domain should be treated equally from a standpoint of connectivity: all DCs in DomainA should be able to contact all DCs in DomainB and vice versa.  To filter traffic more granularly than that may create intermittent and/or hard-to-troubleshoot authentication issues for your users.
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.


Author Comment

ID: 20108728
Thx, all
The real problem is that on one side vi are routing some nat networks to another location, and that networks is on 4 of 5 DC's in the other domain. so i want communicate only with only one dc i the other domain, because of the routing problem.
LVL 30

Expert Comment

ID: 20108741
If a computer in DomainA cannot physically connect to a particular DC in DomainB, it will go back to the DNS SRV records to locate another DC.  The problem arises in that this can create long auth times for users/applications, creating the kinds of intermittent issues I mentioned above.

I'm not saying that it won't work, per se, you just need to be aware of the caveats that it creates.

Author Comment

ID: 20110117
maybe this is the solution: http://support.microsoft.com/kb/916474

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here's a look at newsworthy articles and community happenings during the last month.
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question