A域(WIN2012域)与B域(WIN2008域)做了双向信任关系,B域有2个DC(DCB1,DCB2);
现在DCB1(主DC)禁止与外部通讯,只想让DCB2与A域通信来传输信任关系,能否实现呢?
我的理解是:信任关系为域间关系,只要双方域各有一个域控存活可通讯即可,不知是否正确?还说必须是主域控之间的通讯存活才能保持信任关系?
同时我做了如下测试:
禁止了DCB1与A域之间的网络互通,然后发现信任关系失败了(A域无法查询或添加B域的账户了)
A域(WIN2012域)与B域(WIN2008域)做了双向信任关系,B域有2个DC(DCB1,DCB2); 现在DCB1(主DC)禁止与外部通讯,只想让DCB2与A域通信来传输信任关系,能否实现呢?
你好,
请确保 PDC 是可以通讯的,因为关于trust的一些功能是由PDC实现的。
我们可以在DC上运行 Netdom query FSMO 来确定哪个是PDC.
下面有几个英文链接也许会对你的理解有帮助:
How Domain and Forest Trusts Work
https://technet.microsoft.com/en-us/library/cc773178(v=ws.10).aspx
you cannot modify domain or trust information because a pdc emulator cannot be contacted
https://social.technet.microsoft.com/Forums/windowsserver/en-US/2c3e8b27-dcf6-4491-bcd6-562db9d51764/you-cannot-modify-domain-or-trust-information-because-a-pdc-emulator-cannot-be-contacted?forum=winserverDS
Is PDC to PDC communciation REQUIRED for the establishment of an active directory external trust
https://social.technet.microsoft.com/Forums/windowsserver/en-US/b7bffafc-2c21-42e2-b8e7-eee56e897618/is-pdc-to-pdc-communciation-required-for-the-establishment-of-an-active-directory-external-trust?forum=winserverDS
Best Regards,
Amy
Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
Thanks Amy,
后来我又做了如下测试:
在B域新建DCB3,同时也是DNS,然后将A域DNS转发器指向DCB3,然后禁止A域与DCB1和DCB2的通信,发现信任关系仍然成立;
第一次禁止了DCB1与A域之间的网络互通,然后发现信任关系失败了,我推断是因为我第一次将A域DNS转发器也指向DCB1了,造成DNS无法正常解析,所以失败;
所以据此我判断信任关系只要是在双方DNS解析正常的情况下,只要各有1个DC存活且可互相通讯就可以实现信任关系,而与PDC是否可互相通讯无关.