Since the forest is the security boundary you can't actually prevent the local domain administrators from forming a direct ntlm trust. You can use the netdom or nltest command line tools to query each domain for trusts. You can also use adfind or dsquery to search for trustedDomain objects in each domain. They'll be under the System container in the default naming context.
-Anders On 2/25/09, Jay Kulsh <[email protected]> wrote: > > Can AD child domains establish outside trust without permission of admin of > the parent/root domain? Can this be prevented? If not, how can we monitor > this? Thanks. > > Jay Kulsh > So. Pasadena, CA > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
