How to change two way trust into one way trust in a domain control

Discussion in 'Active Directory' started by Baron Thener, Nov 24, 2008.

  1. Baron Thener

    Baron Thener Guest

    Dear all,
    We have a domain with multiplies sites. the current condition is the site
    trust is set two way. how to change the trust into one way regarding all the
    admins is all in the HO.

    We are using Windows server 2003. in the HO we have three domain
    controllers, and two domain controller in the other site
     
    Baron Thener, Nov 24, 2008
    #1
    1. Advertisements

  2. Hello Baron,

    I think you mix the terms a bit. Do you have DOMAIN.COM and OTHERDOMAIN.COM
    with a trust. Or do you have all DC's under DOMAIN.COM placed just on multiplpe
    sites/locations and configured AD sites and services to separate them?

    Best regards

    Meinolf Weber
     
    Meinolf Weber, Nov 24, 2008
    #2
    1. Advertisements

  3. Baron Thener

    Baron Thener Guest

    Dear Weber,
    Thanks for your reply. sorry I forget the detail. we have domain.com and
    anotherdomain.com this anotherdomain.com have two way trust do our
    domain.com. and we like to remove the two way trust into one way trust.

    Thanks,
    best regards,
    Baron
     
    Baron Thener, Nov 24, 2008
    #3
  4. Hello Baron,

    In AD domains and trusts remove the existing one and create a the new one
    for your needs. If you have the account/password for the other domain you
    can do it in one step, otherwise the removal has to be done on both sites.

    Best regards

    Meinolf Weber
     
    Meinolf Weber, Nov 24, 2008
    #4
  5. Baron Thener

    Baron Thener Guest

    Dear Weber,
    Sorry again, after recheckin we only have one domain for example abc.com.
    but we have multipy domain example jktdc01 and bdgdc01. we like to remove the
    trust from bdgdc01 toward jktdc01. but the jktdc01 still have the authority
    to make changes in bdgdc01.

    I misunderstand between domain and our DCs

    Sincerely,
    Baron
     
    Baron Thener, Nov 24, 2008
    #5
  6. Baron,

    Have you checked "Active Directory Domains and Trusts" as well as the
    NETDOM TRUST command from the cmd?
    http://technet.microsoft.com/en-us/library/cc776879.aspx

    cheers,

    Florian
     
    Florian Frommherz [MVP], Nov 24, 2008
    #6
  7. Hello Baron,

    All domain controllers in your domain abc.com work together for that domain,
    there is no trust between them. Please describe exactly what you are trying
    to achive.

    Best regards

    Meinolf Weber
     
    Meinolf Weber, Nov 24, 2008
    #7
  8. Hello Baron,
    All domain controllers replicate with one another, you can't remove this
    connection between the two. It sounds like you are trying to control management
    on the dc's. As Meinolf has already asked please post exactly what you are
    trying to do.


    --
    Paul Bergson
    MVP - Directory Services
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, 2003, 2000 (Early Achiever), NT4


    http://www.pbbergs.com

    Please no e-mails, any questions should be posted in the NewsGroup This posting
    is provided "AS IS" with no warranties, and confers no rights.
     
    Paul Bergson [MVP-DS], Nov 24, 2008
    #8
  9. Baron Thener

    Baron Thener Guest

    Dear Paul and Meinolf,
    Thanks for the replies.
    You're both are right. I misunderstood my current topology. it seem that we
    only have one domain and all the dc are replicate with one another. The
    current problems is one of our site is been merged with other company. they
    still need the DCs for localy login but I dont want them to have access over
    the domain because it connected to our domain. sorry for the previous posting
    since I'm new and haven't really know my working environment.

    Dear Florian,

    Thanks for the reply. but I think I ask the wrong question as describe
    above. Thanks anyway.
     
    Baron Thener, Nov 25, 2008
    #9
  10. Hello Baron,

    You can not achive what you like without restructuring the domain. If the
    new company should not access your own environment you should migrate the
    users and machines from the sites with ADMT to there own environment, so
    the site users/machines are still able to logon but then over the new company.

    Another option is to disconnect physically the site complete from your network,
    cleanup your domain from the site DC's/accounts/machines policies etc. Then
    seize the FSMO roles on one site DC make it DNS/GC before starting. Also
    there you have then to cleanup AD database from all old DC's/accounts/machines
    policies etc. After that do NEVER connect both domains together, even with
    a trust, i think that will not work.

    So what you are trying to achive is a more complex part and should be planned/tested
    before starting anything.

    Best regards

    Meinolf Weber
     
    Meinolf Weber, Nov 25, 2008
    #10
  11. Hello Baron,
    You can't logon locally to a DC, they would need administrator credentials.
    If they have administrator access they can do whatever they choose with
    the domain. I;m not clear what is on your domain nor what you are trying
    to setup. If you could define your exact environment and what you are trying
    to accomplish we might be able to guide you but I just don't understand exactly
    what is goingon with what you have right now.


    --
    Paul Bergson
    MVP - Directory Services
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, 2003, 2000 (Early Achiever), NT4


    http://www.pbbergs.com

    Please no e-mails, any questions should be posted in the NewsGroup This posting
    is provided "AS IS" with no warranties, and confers no rights.
     
    Paul Bergson [MVP-DS], Nov 25, 2008
    #11
  12. Baron Thener

    Jorge Silva Guest

    Hi
    The "Site" is being merged with another company. They'll have another forest
    for that new company? And they still need the current DC to allow the users
    to logon until they have the proper accounts in the new Forest, is this
    correct?

    --
    I hope that the information above helps you.
    Have a Nice day.

    Jorge Silva
    MCSE, MVP Directory Services

    Please no e-mails, any questions should be posted in the NewsGroup
    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Jorge Silva, Nov 25, 2008
    #12
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.