Ravi Matharu
asked on
UPN Suffix Routing - One Way Trust
Hi,
I am in the process of changing user UPNs to their primary SMTP attribute but have encountered a UPN Suffix routing issue on one of the forests. Details are:
Forest A:
DNS - ResourceA.Internal
Name Suffix Routing:
AccountB.Internal - *accountB.internal
AccountB.Internal - *accountB.com
AccountC.Internal - *accountC.internal
AccountC.Internal - *accountC.com
Forest B
DNS - AccountB.Internal
Alt UPN Suffix - AccountB.com
Forest C
DNS - AccountC.local
Alt UPN Suffix - AccountC.com
Trust Relation Ships
ResourceA.Internal <==> AccountB.Internal (Two-way - Forest - Transitive)
ResourceA.Internal ==> AccountC.Internal (One-way - Forest - Transitive)
ResourceA.Internal contains Mailboxes with disabled accounts and Servers
AccountB.Internal and AccountC.Internal contain user accounts linked to Mailboxes in ResourceA.Internal
AccountB.Internal behaviour:
I am able to access Mailboxes (via OWA) and RDP to servers with Domain\User and UPN.
Accountc.Internal behaviour:
I am able to access Mailboxes (via OWA) and RDP to servers with Domain\User only not UPN.
I have checked firewall ports and the following are open:
135/TCP RPC Endpoint Mapper
464/TCP/UDP Kerberos password change
49152-65535/TCP RPC for LSA, SAM, Netlogon (*)
389/TCP/UDP LDAP
636/TCP LDAP SSL
3268/TCP LDAP GC
3269/TCP LDAP GC SSL
53/TCP/UDP DNS
49152 -65535/TCP FRS RPC (*)
88/TCP/UDP Kerberos
445/TCP SMB (**)
49152-65535/TCP DFSR RPC (*)
How can I confirm DNS is working?
Any ideas what I can check next?
I am in the process of changing user UPNs to their primary SMTP attribute but have encountered a UPN Suffix routing issue on one of the forests. Details are:
Forest A:
DNS - ResourceA.Internal
Name Suffix Routing:
AccountB.Internal - *accountB.internal
AccountB.Internal - *accountB.com
AccountC.Internal - *accountC.internal
AccountC.Internal - *accountC.com
Forest B
DNS - AccountB.Internal
Alt UPN Suffix - AccountB.com
Forest C
DNS - AccountC.local
Alt UPN Suffix - AccountC.com
Trust Relation Ships
ResourceA.Internal <==> AccountB.Internal (Two-way - Forest - Transitive)
ResourceA.Internal ==> AccountC.Internal (One-way - Forest - Transitive)
ResourceA.Internal contains Mailboxes with disabled accounts and Servers
AccountB.Internal and AccountC.Internal contain user accounts linked to Mailboxes in ResourceA.Internal
AccountB.Internal behaviour:
I am able to access Mailboxes (via OWA) and RDP to servers with Domain\User and UPN.
Accountc.Internal behaviour:
I am able to access Mailboxes (via OWA) and RDP to servers with Domain\User only not UPN.
I have checked firewall ports and the following are open:
135/TCP RPC Endpoint Mapper
464/TCP/UDP Kerberos password change
49152-65535/TCP RPC for LSA, SAM, Netlogon (*)
389/TCP/UDP LDAP
636/TCP LDAP SSL
3268/TCP LDAP GC
3269/TCP LDAP GC SSL
53/TCP/UDP DNS
49152 -65535/TCP FRS RPC (*)
88/TCP/UDP Kerberos
445/TCP SMB (**)
49152-65535/TCP DFSR RPC (*)
How can I confirm DNS is working?
Any ideas what I can check next?
check in forest C under domain and trusts if name suffix routing is enabled on one way trust
ASKER
Hi Mahesh,
Thanks for getting back to me
Forest C has the following Name Suffix Routing:
ResourceA.Internal (Incoming Trust) - *resourceA.internal
AccountB.Internal (Incoming Trust) - *accountB.internal
AccountB.Internal (Incoming Trust) - *accountB.com
Thanks for getting back to me
Forest C has the following Name Suffix Routing:
ResourceA.Internal (Incoming Trust) - *resourceA.internal
AccountB.Internal (Incoming Trust) - *accountB.internal
AccountB.Internal (Incoming Trust) - *accountB.com
The UPN entered during resource access and actual user properties UPN is matching?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for your help