Forest Level Trust connectivity requirements

Dan Peters 31 Reputation points
2020-08-12T19:21:31.907+00:00

Hello,

I need to set up a forest level trust between two forests that each have a lot of AD Sites (both are just single domain though). Many of the sites can not talk directly to each other (but replication works as every site can talk to at least one other site) Anyway, I was wondering if all the DCs need to be open to the firewall, or if I can get away with only having the PDC emulators from each forest talk to each other. DNS is not a problem, both forests use the same 3rd party DNS appliance. Thanks!

Microsoft Entra
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Thameur-BOURBITA 32,831 Reputation points
    2020-08-13T22:00:29.763+00:00

    Hi,

    If there is some site unable to talk directly to each other if this case you should prevent the domain controller in those sites from registering its generic DNS record.

    If you have a site able to talk with all sites ( hub site) , you should allow its domain controllers to register generic DNS record.

    You can refer to the following link to get more details how you can prevent domain controller on branch site to register its generic DNS.

    https://www.itprotoday.com/compute-engines/how-can-i-prevent-my-branch-office-domain-controllers-dcs-registering-generic-dns

    Don't forget to mark this reply as answer if it help you to fix your issue

    0 comments
  2. James Hamil 24,311 Reputation points Microsoft Employee
    2020-08-31T19:11:15.173+00:00

    Hi, are there any updates with this case? If not, please select the appropriate response as "Answered." Otherwise please let us know how we can assist you.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.