Re: Setting up AD trust Across NAT
- From: "Ace Fekay [MVP]" <PleaseSubstituteMyActualFirstName&LastNameHere@xxxxxxxxxxx>
- Date: Wed, 5 Oct 2005 23:50:24 -0400
In news:BB919406-7181-440D-8D4E-72E6D98E2CFB@xxxxxxxxxxxxx,
Brian <Brian@xxxxxxxxxxxxxxxxxxxxxxxxx> made this post, which I then
commented about below:
> I am trying to set up a Windows AD 2003 trust with a domain that is
> sitting on the other side of a router that is doing NAT. Both
> subnets are private to the internet. Our domain is 10.x.x.x and
> their domain is 192.168.x.x. The Router sitting between us is using
> NAT to Translate their 192.168.x.x address to 10.x.x.x. So for
> example, their DC is 192.168.5.5 and when I ping it by name I get a
> reply of 10.10.5.5. So I guess my question is how do I setup name
> resolution between the two domains. If I do a zone transfer or a
> conditional forward to their DNS then when I ask DNS what is the IP
> address of their DC, it will say 192.168.5.5 which is no good to me.
> I need it to say 10.10.5.5. I thought about setting up a secondary
> zone in our DNS and just manually entering all the Host records for
> all of their servers but I wasn't sure if I needed enteries for
> things like name servers, LDAP servers and all the other AD related
> stuff that is in our DNS. If this secondary zone thing will work can
> you tell me all of the enteries I will need to add besides Host
> records for server names.
>
> I've also heard something about a DNS Proxy is that something that I
> could possibly use?
>
> Any other ideas would be greatly appreciated.
Unfortunately, NAT won't work here. LDAP, RPC, Netlogon and Kerberos will
not traverse a NAT. Since the domains are not of the same forest, and you
are attempting an "external" domain to domain trust between two domains in
different forests, Kerberos won't be a factor in external trusts, which are
NT style trusts, and uses NTLM. NTLM doesn't use DNS, so setting up
secondary zones, etc, will be nice for FQDN resolution, but will not help
with external trust.
The main fact that RPC and Netlogon being curtailed by NAT, is your dilemma.
The only way in *your* scenario is to route between the two subnets instead
of NATting to make it work. Since both subnets are behind a main NAT
(probably assuming on the 192.168.5.0 side), to the Internet, routing can be
achieved, that is if the folks on the 192.168.5.0 side will create a static
route to get to your 10.10.5.0 subnet. Another method is to use a VPN thru
the NAT.
263293 - Windows 2000 NAT Does Not Translate Netlogon Traffic :
http://support.microsoft.com/default.aspx?scid=kb;EN-US;263293
--
Ace
This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.
If this post is viewed at a non-Microsoft community website, and you were to
respond to it through that community's website, I may not see your reply
unless that website posts replies back to the original Microsoft forum.
Therefore, please direct all replies ONLY to the Microsoft public newsgroup
this thread originated in so all can benefit or ensure the web community
posts it back to the original forum.
Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services
Microsot Certified Trainer
Infinite Diversities in Infinite Combinations.
=================================
.
- Follow-Ups:
- Re: Setting up AD trust Across NAT
- From: Brian
- Re: Setting up AD trust Across NAT
- Prev by Date: Re: EVENT ID 1311
- Next by Date: Re: Download Exchange Administrative Tools
- Previous by thread: Re: GPO Internet Explorer Ports
- Next by thread: Re: Setting up AD trust Across NAT
- Index(es):
Relevant Pages
|
