Q: What can I do with the Windows Server 2003 name suffix routing forest trust relationship property? How can I leverage name suffix routing to control access to my Active Directory (AD) forest’s resources for foreign users that are defined in another forest? Can you also explain where and how I can configure name suffix routing?

A: Windows 2003 supports several ways to restrict a trust relationship between two Windows AD forests, including SID filtering, selective authentication, and name suffix routing. Name suffix routing is also referred to as top-level name restrictions. SID filtering and selective authentication can be applied to both external and forest trust relationships. Name suffix routing can be applied only to a forest trust type.

A forest trust relationship is a new trust type that was introduced in Windows 2003. Windows 2003 forest trust relationships allow administrators to securely federate two AD forests using a single trust relationship that's set up between the root domains of the two forests. A forest trust relationship can provide a seamless, AD object browsing, user authentication and access control experience between different forests. In Windows 2000, multiple external trust relationships are required between the different domains in the two forests to obtain the same level of functionality.

Windows 2003 uses name suffix routing to provide name resolution between forests that are linked together using a forest trust. Name resolution is needed to route cross-forest authentication and object query requests. The Windows 2003 cross-forest routing mechanism is rooted on a list of DNS domain suffixes that is stored in the AD Trusted Domain Object (TDO) of the root domain of a forest. The suffixes can be disabled, enabled, or excluded to modify the cross-forest routing behavior. I explain how to do this later. As the name suffix routing feature is available only for forest trusts, it requires the forest to run at Windows 2003 Forest Functional Level.

In the example that Figure 1 shows, a one-way forest trust has been defined between the cpqtest.net and the hewlettpackardtest.net Windows forests. The hewlettpackardtest.net domain is the root domain of the forest with the same name. The hewlettpackardtest.net forest is made up of a second domain tree called hp.com. In this scenario cpqtest.net is the trusting domain containing the resources and hewlettpackardtest.net is the trusted domain containing the users. The administrator in the cpqtest.net domain decides that he or she doesn’t want to trust the authentication requests or object query requests that are coming in from accounts in the hp.com domain. To do so, he or she can disable the “hp.com” namespace in the msDS-TrustForestTrustInfo attribute of the TDO for the hewlettpackardtest.net domain in the cpqtest.net AD.

You can disable DNS namespaces by using the new Windows Server 2003 Trust Wizard. Figure 2 shows the page where you do this. The wizard displays all the DNS suffixes of the top-level domains in a forest (with the exception of the DNS suffix of the root domain itself) and all UPN suffixes that have been defined on the forest level. Remember that you can define UPN suffixes using the AD Domains and Trusts Microsoft Management Console (MMC) snap-in. To add or delete additional UPN suffixes, right-click the Active Directory Domains and Trusts container and select properties.

In the example that Figure 2 shows, there's one additional top-level DNS suffix “hp.com” and one UPN suffix has been defined “hptest.net”. To disable the routing of all incoming requests with a *.hp.com suffix in the cpqtest.net forest, simply clear the check box, as Figure 2 shows. To enable routing (in the example routing is enabled for *.hptest.net) simply leave the check box selected.

DNS namespaces can also be disabled from the “Name Suffix Routing” tab in the properties of a trust object (available from the AD Domains and Trusts MMC snap-in). This is illustrated in Figure 3 for the hp.com suffix in the properties of the hewlettpackardtest.net trust object. To disable or enable a suffix, select it and click Enable or Disable as needed. Note that the dialog box also shows another DNS suffix called “hewlettpackard.net” that is set to disabled and marked as New. This is a UPN suffix that was added to the “hewlettpackardtest.net” forest after the trust wizard was run. By default, Windows 2003 disables these newly added suffixes.

Disabling a namespace in the properties of forest trust relationship fully disables the routing of requests to that namespace and all its subordinate namespaces. For example, disabling the hp.com namespace will disable the routing from all subordinate namespaces including emea.hp.com, americas.hp.com, and asiapac.hp.com. Top Level Name (TLN) restrictions also let you exclude the routing of only certain subordinate namespaces. For example, if routing from the hp.com namespace was enabled, you could exclude just the routing from the emea.hp.com subordinate namespace.