I support a large Windows Server 2003 Active Directory
(AD) forest that contains several forest trusts that in turn contain other large
forests. Can I use a script to control (enable and disable) routing name suffixes
across my large forest?
Before answering this question, I think it's useful to explain this somewhat
obscure Active Directory Forest trust setting and point you to references for
more information. When a user in an account domain (trusted domain) attempts
to authenticate across a forest trust, AD routes the request to a resource domain
(trusting domain) that's capable of authenticating the user's request. You can
disable or enable this routing graphically from Active Directory Domains and
Trusts, from the command line by using the NetDOM utility (a Windows Support
Tool), or programmatically by using the new System.DirectoryServices. ActiveDirectory
namespace in the .NET Framework 2.0. To see how this functionality works, consider
the two types of canonical names for user account authentication: a Domain DNS
name (e.g., corp.adatum.com) and a NetBIOS name (e.g., CORP). . . .