If you have two domains and forests, Domain + Forest A and Domain + Forest B, and you are making a one-way trust so that Domain + Forest B will implicitly trust A, is there a way to make sure all the trust-related traffic goes through only ONE preselected DC in Domain B from the DCs with A?
All the domains and forests are at Windows Server 2003 functional level. Upgrading B is an option.
Totally stumped. Update the root hints maybe? Having this restriction will make certain routing issues (avoiding setting up more IPSEC tunnels) MUCH easier with regard to trust traffic encryption.
Answer
You'd do this by ensuring name resolution queries by Domain A for DomainB return just the DC of interest. If you are forwarding DNS traffic to DomainB for DomainB queries, that means getting DCs of DomainB not to register certain records by using DNS mnemonics ( http://support.microsoft.com/kb/267855 ). Probably not what you want.
Alternate is to host your own version of DNS zone(s) for Domain B on domainA side with just the detail required. So when _kerberos_tcp.dc_msdcs.domainb.com or _ldap._tcp.dc._msdcs.domainb.com type queries are issued, these queries return just the DC of interest.
I also take it you are not concerned with single point of failure of choosing one domainb dc.
No comments:
Post a Comment