You can use the Active Directory Domains and Trusts snap-in to modify the routing of the existing name suffixes.
Name suffix routing is a mechanism that you can use to manage how authentication requests are routed across Windows Server 2008 or Windows Server 2008 R2 forests that are joined by forest trusts. To simplify the administration of authentication requests, when you create a forest trust all unique name suffixes are routed by default. A unique name suffix is a name suffix within a forest, such as a user principal name (UPN) suffix, service principal name (SPN) suffix, or Domain Name System (DNS) forest or domain tree name that is not subordinate to any other name suffix.
Membership in Domain Admins or Enterprise Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477.
|To enable or disable an existing name suffix from routing|
Open Active Directory Domains and Trusts. To open Active Directory Domains and Trusts, click Start, click Administrative Tools, and then click Active Directory Domains and Trusts.
In the console tree, right-click the domain node for the domain that you want to administer, and then click Properties.
On the Trusts tab, under either Domains trusted by this domain (outgoing trusts) or Domains that trust this domain (incoming trusts), click the forest trust that you want to administer, and then click Properties.
Click the Name Suffix Routing tab, and under Name suffixes in the x.x. forest, do one of the following:
- To enable a name suffix, click the suffix
that you want to enable, and then click Enable. If the
Enable button appears dimmed, the name suffix is already
- To disable a name suffix, click the suffix
that you want to disable, and then click Disable. If the
Disable button appears dimmed, the name suffix is already
- To enable a name suffix, click the suffix that you want to enable, and then click Enable. If the Enable button appears dimmed, the name suffix is already enabled.
- To perform this procedure, you must be a
member of the Domain Admins group or Enterprise Admins group in
Active Directory Domain Services (AD DS), or you must
have been delegated the appropriate authority. As a security best
practice, consider using Run as to perform this procedure.
For more information, search for "using run as" in Help and
- When you disable a name suffix, all children
of that DNS name will also be disabled.
- You cannot enable a name suffix that is in
conflict. If the conflict is with a local UPN name suffix, you must
remove the local UPN name suffix before you can enable the routing
name. If the conflict is with a name that is claimed by another
trust partner, you must disable the name in the other trust before
it can be enabled for this trust.