How to change two way trust into one way trust in a domain control

Dear all,
We have a domain with multiplies sites. the current condition is the site
trust is set two way. how to change the trust into one way regarding all the
admins is all in the HO.

We are using Windows server 2003. in the HO we have three domain
controllers, and two domain controller in the other site

 

Hello Baron,

I think you mix the terms a bit. Do you have DOMAIN.COM and OTHERDOMAIN.COM
with a trust. Or do you have all DC's under DOMAIN.COM placed just on multiplpe
sites/locations and configured AD sites and services to separate them?

Best regards

Meinolf Weber

 

Dear Weber,
Thanks for your reply. sorry I forget the detail. we have domain.com and
anotherdomain.com this anotherdomain.com have two way trust do our
domain.com. and we like to remove the two way trust into one way trust.

Thanks,
best regards,
Baron

 

Hello Baron,

In AD domains and trusts remove the existing one and create a the new one
for your needs. If you have the account/password for the other domain you
can do it in one step, otherwise the removal has to be done on both sites.

Best regards

Meinolf Weber

 

Dear Weber,
Sorry again, after recheckin we only have one domain for example abc.com.
but we have multipy domain example jktdc01 and bdgdc01. we like to remove the
trust from bdgdc01 toward jktdc01. but the jktdc01 still have the authority
to make changes in bdgdc01.

I misunderstand between domain and our DCs

Sincerely,
Baron

 

Baron,

Have you checked "Active Directory Domains and Trusts" as well as the
NETDOM TRUST command from the cmd?
http://technet.microsoft.com/en-us/library/cc776879.aspx

cheers,

Florian

 

Hello Baron,

All domain controllers in your domain abc.com work together for that domain,
there is no trust between them. Please describe exactly what you are trying
to achive.

Best regards

Meinolf Weber

 

Hello Baron,
All domain controllers replicate with one another, you can't remove this
connection between the two. It sounds like you are trying to control management
on the dc's. As Meinolf has already asked please post exactly what you are
trying to do.


--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4


http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This posting
is provided "AS IS" with no warranties, and confers no rights.

 

Dear Paul and Meinolf,
Thanks for the replies.
You're both are right. I misunderstood my current topology. it seem that we
only have one domain and all the dc are replicate with one another. The
current problems is one of our site is been merged with other company. they
still need the DCs for localy login but I dont want them to have access over
the domain because it connected to our domain. sorry for the previous posting
since I'm new and haven't really know my working environment.

Dear Florian,

Thanks for the reply. but I think I ask the wrong question as describe
above. Thanks anyway.

 

Hello Baron,

You can not achive what you like without restructuring the domain. If the
new company should not access your own environment you should migrate the
users and machines from the sites with ADMT to there own environment, so
the site users/machines are still able to logon but then over the new company.

Another option is to disconnect physically the site complete from your network,
cleanup your domain from the site DC's/accounts/machines policies etc. Then
seize the FSMO roles on one site DC make it DNS/GC before starting. Also
there you have then to cleanup AD database from all old DC's/accounts/machines
policies etc. After that do NEVER connect both domains together, even with
a trust, i think that will not work.

So what you are trying to achive is a more complex part and should be planned/tested
before starting anything.

Best regards

Meinolf Weber

 

Hello Baron,
You can't logon locally to a DC, they would need administrator credentials.
If they have administrator access they can do whatever they choose with
the domain. I;m not clear what is on your domain nor what you are trying
to setup. If you could define your exact environment and what you are trying
to accomplish we might be able to guide you but I just don't understand exactly
what is goingon with what you have right now.


--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4


http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This posting
is provided "AS IS" with no warranties, and confers no rights.

 

Hi
The "Site" is being merged with another company. They'll have another forest
for that new company? And they still need the current DC to allow the users
to logon until they have the proper accounts in the new Forest, is this
correct?

--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.