Controlling Trust Traffic
in [Active Directory]
|
Prev: marvendas@gmail.com Kit completo de Solenoides ( solenoid ) + chicotePara Cambio automatico 01M hidramatico Audi A3 Vw Golf gti turbo 02416
Next: My Pictures
From: AJ on 5 Mar 2010 05:18 Hi Guys I have a trust linking two forests together (Windows 2003 and Windows 2008R2). I want the trust to only ever create its secure channel with two specific domain controllers in one of the forests, so if one fails the other DC is used as the endpoint. Basically we want to limit the machines that one of the forests communicates with for authentication requests. I know you can reset the secure channel using NLTEST etc but we need to be able to restrcit the trust from jumping to other DCs in the forest, how can we do this? I dont think creating an additional site in the forest and installing the domain controllers we want to handle the auth requests would help, becuase I dont beleive trusts are site aware and it would ignore the site boundary. Is this possible? TIA AJ
From: Ace Fekay [MVP-DS, MCT] on 2 Apr 2010 10:18
"AJ" <andyjones99(a)hotmail.co.uk> wrote in message news:07b80851-4440-4556-977f-150fa7b0cda2(a)i25g2000yqm.googlegroups.com... > Hi Guys > > I have a trust linking two forests together (Windows 2003 and Windows > 2008R2). I want the trust to only ever create its secure channel with > two specific domain controllers in one of the forests, so if one fails > the other DC is used as the endpoint. Basically we want to limit the > machines that one of the forests communicates with for authentication > requests. I know you can reset the secure channel using NLTEST etc but > we need to be able to restrcit the trust from jumping to other DCs in > the forest, how can we do this? I dont think creating an additional > site in the forest and installing the domain controllers we want to > handle the auth requests would help, becuase I dont beleive trusts are > site aware and it would ignore the site boundary. Is this possible? > > TIA > AJ Actually, the trusts end points are the PDC Emulators. Is there any reason you are trying to do it this way in your scenario? Are there any communications restrictions? -- Ace This posting is provided "AS-IS" with no warranties or guarantees and confers no rights. Please reply back to the newsgroup or forum for collaboration benefit among responding engineers, and to help others benefit from your resolution. Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003 Microsoft Certified Trainer Microsoft MVP - Directory Services If you feel this is an urgent issue and require immediate assistance, please contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers. |