Exclude Name Suffixes from Routing to a Local Forest
Applies To: Windows Server 2008
You can use Active Directory Domains and Trusts to exclude name suffixes from routing to a local forest.
Name suffix routing is a mechanism that you can use to manage how authentication requests are routed across Windows Server 2008 forests that are joined by forest trusts. To simplify the administration of authentication requests, when you create a forest trust all unique name suffixes are routed by default. A unique name suffix is a name suffix within a forest, such as a user principal name (UPN) suffix, service principal name (SPN) suffix, or Domain Name System (DNS) forest or domain tree name that is not subordinate to any other name suffix.
Membership in Domain Admins or Enterprise Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).
To exclude name suffixes from routing to a local forest
Open Active Directory Domains and Trusts. To open Active Directory Domains and Trusts, click Start, click Administrative Tools, and then click Active Directory Domains and Trusts.
In the console tree, right-click the domain node for the domain that you want to administer, and then click Properties.
On the Trusts tab, under either Domains trusted by this domain (outgoing trusts) or Domains that trust this domain (incoming trusts), click the forest trust that you want to administer, and then click Properties.
Click the Name Suffix Routing tab. Under Name suffixes in the x.x. forest, click the unique name suffix for which you want to exclude the routing status, and then click Edit.
In Name suffixes to exclude from routing to x.x, click Add, type a DNS name suffix that is subordinate to the unique name suffix, and then click OK.
Additional considerations
To perform this procedure, you must be a member of the Domain Admins group or Enterprise Admins group in Active Directory Domain Services (AD DS), or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure. For more information, search for "using run as" in Help and Support.
When you exclude a name suffix, all children of that DNS name will also be excluded.
To view a log of name suffixes, DNS names, NetBIOS names, and the status that is associated with this trust, click Save As. This log can assist you in troubleshooting authentication problems.