Subscribe to Windows IT Pro
November 13, 2006 12:00 AM

Using NetDOM to Control Name Suffix Routing in a Cross-Forest Trust

Robert Sheldon, Ethan Wilansky
Windows IT Pro
InstantDoc ID #94028
Rating: (1)

I support a large Windows Server 2003 Active Directory (AD) forest that contains several forest trusts that in turn contain other large forests. Can I use a script to control (enable and disable) routing name suffixes across my large forest?
Before answering this question, I think it's useful to explain this somewhat obscure Active Directory Forest trust setting and point you to references for more information. When a user in an account domain (trusted domain) attempts to authenticate across a forest trust, AD routes the request to a resource domain (trusting domain) that's capable of authenticating the user's request. You can disable or enable this routing graphically from Active Directory Domains and Trusts, from the command line by using the NetDOM utility (a Windows Support Tool), or programmatically by using the new System.DirectoryServices. ActiveDirectory namespace in the .NET Framework 2.0. To see how this functionality works, consider the two types of canonical names for user account authentication: a Domain DNS name (e.g., corp.adatum.com) and a NetBIOS name (e.g., CORP).

Assuming both name examples I provide represent a domain named corp.adatum.com in the adatum.com forest and a user account named john.doe exists in corp.adatum.com, then john.doe can log on to the local account domain with either of the following names: john.doe@corp.adatum.com or CORP\john.doe.

If the fabrikam.com forest trusts the adatum.com forest and john.doe has been given access to a folder on a resource server in the fabrikam.com domain, then john.doe in the corp .adatum.com domain can authenticate across the forest trust and access the folder in the fabrikam.com domain.

To block all users in corp.adatum .com (including john.doe) from authenticating to any resource in the fabrikam.com domain, an enterprise administrator in the fabrikam.com forest can exclude the corp.adatum.com domain from the forest trust. Because trust relationships are confusing enough, here's a generalized explanation of the pattern:

  1. Forest x trusts forest y. Thus, domains in forest x are resource domains and domains in forest y are account domains.
  2. A user account in forest y is assigned access to a resource in forest x.
  3. The user account in forest y can authenticate across the forest trust to access the resource in forest x.
  4. From forest x, exclude the domain in forest y that contains the user account.
  5. The user account in forest y can no longer authenticate across the forest trust to access the resource in forest x.

Later in this answer, I describe two ways to complete this name-suffix exclusion task, one graphically and the other from the command line. If you want to know how to perform this task from managed code, see my Microsoft white paper "A Developer's Introduction to System. DirectoryServices.ActiveDirectory." As of this writing it hasn't yet been published. However, it should be published around the same time as this article. In addition, you can learn more about name suffix routing by reading Jan De Clercq's Windows IT Security article "Windows 2003 Forest Trusts " (http://www.windowsitpro.com, Instant-Doc ID 38436) and the Microsoft article "Accessing Resources Across Forests" at http://technet2.microsoft.com/WindowsServer/f/?en/library/517b4fa 4-5266-419c-9791-6fb56fabb85e10 33.mspx. You can also refer to the topic "Routing name suffixes across a forest" in the Windows Server 2003 Active Directory Help documentation.

Now that you're more familiar with name suffix routing, let's talk about how to configure this setting from the command line. You can use the Netdom command-line tool to enable or disable forest-name suffix routing, exclude top-level domain-name routing, or disable specific name-suffix routing. For a variety of examples using the Netdom command line, see the Microsoft article "Netdom Examples" at http://technet2.microsoft.com/WindowsServer/en/library/539c5381-db4f-445f-aac0-2df5448181c11033.mspx?mfr=true.

By using the Netdom commandline tool, you can list and manage the name suffixes allowed for cross-forest authentication. For example, to see the status of all name suffixes between the fabrikam.com forest and the adatum.com forest, type: 

netdom trust fabrikam.com
  /namesuffixes:adatum.com

Note that you should list name suffixes from the forest that contains the resource domains because you control name-suffix routing from the outgoing side of a forest trust (the trusting forest).

If you created a cross-forest trust between fabrikam.com and adatum .com, and adatum.com also contained a sub-domain named corp.adatum .com, then you would see return results similar to those in Table 1. I put the results in table format to make it easier to delineate one column from the next. Obviously, SID values will differ between one AD implementation and the next.

Related Content:

ARTICLE TOOLS

Comments
Add A Comment
  • DENNIS
    4 years ago
    Feb 04, 2008

    TRYING TO READ

You must log on before posting a comment.

Are you a new visitor? Register Here

advertisement

advertisement

Dev Pro Left-Brain SharePoint Pro SQL Server Pro SuperSite for Windows Windows IT Pro

© 2012 Penton Media, Inc.

Home About Us Advertise Customer Service Privacy Statement Subscribe/Renew Terms Of Use

Windows is a trademark of the Microsoft group of companies. Windows IT Pro is used by Penton Media Inc. under license from owner.