Re: Setting up AD trust Across NAT
- From: "Brian" <Brian@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 6 Oct 2005 06:24:03 -0700
Thank you that's exactly the type of explanation I was looking for. Not the
answer I was looking for but at least I know exactly what is going on.
"Ace Fekay [MVP]" wrote:
> In news:BB919406-7181-440D-8D4E-72E6D98E2CFB@xxxxxxxxxxxxx,
> Brian <Brian@xxxxxxxxxxxxxxxxxxxxxxxxx> made this post, which I then
> commented about below:
> > I am trying to set up a Windows AD 2003 trust with a domain that is
> > sitting on the other side of a router that is doing NAT. Both
> > subnets are private to the internet. Our domain is 10.x.x.x and
> > their domain is 192.168.x.x. The Router sitting between us is using
> > NAT to Translate their 192.168.x.x address to 10.x.x.x. So for
> > example, their DC is 192.168.5.5 and when I ping it by name I get a
> > reply of 10.10.5.5. So I guess my question is how do I setup name
> > resolution between the two domains. If I do a zone transfer or a
> > conditional forward to their DNS then when I ask DNS what is the IP
> > address of their DC, it will say 192.168.5.5 which is no good to me.
> > I need it to say 10.10.5.5. I thought about setting up a secondary
> > zone in our DNS and just manually entering all the Host records for
> > all of their servers but I wasn't sure if I needed enteries for
> > things like name servers, LDAP servers and all the other AD related
> > stuff that is in our DNS. If this secondary zone thing will work can
> > you tell me all of the enteries I will need to add besides Host
> > records for server names.
> >
> > I've also heard something about a DNS Proxy is that something that I
> > could possibly use?
> >
> > Any other ideas would be greatly appreciated.
>
> Unfortunately, NAT won't work here. LDAP, RPC, Netlogon and Kerberos will
> not traverse a NAT. Since the domains are not of the same forest, and you
> are attempting an "external" domain to domain trust between two domains in
> different forests, Kerberos won't be a factor in external trusts, which are
> NT style trusts, and uses NTLM. NTLM doesn't use DNS, so setting up
> secondary zones, etc, will be nice for FQDN resolution, but will not help
> with external trust.
>
> The main fact that RPC and Netlogon being curtailed by NAT, is your dilemma.
> The only way in *your* scenario is to route between the two subnets instead
> of NATting to make it work. Since both subnets are behind a main NAT
> (probably assuming on the 192.168.5.0 side), to the Internet, routing can be
> achieved, that is if the folks on the 192.168.5.0 side will create a static
> route to get to your 10.10.5.0 subnet. Another method is to use a VPN thru
> the NAT.
>
> 263293 - Windows 2000 NAT Does Not Translate Netlogon Traffic :
> http://support.microsoft.com/default.aspx?scid=kb;EN-US;263293
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> If this post is viewed at a non-Microsoft community website, and you were to
> respond to it through that community's website, I may not see your reply
> unless that website posts replies back to the original Microsoft forum.
> Therefore, please direct all replies ONLY to the Microsoft public newsgroup
> this thread originated in so all can benefit or ensure the web community
> posts it back to the original forum.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
> Microsoft Windows MVP - Windows Server - Directory Services
> Microsot Certified Trainer
> Infinite Diversities in Infinite Combinations.
> =================================
>
>
>
.
- Follow-Ups:
- Re: Setting up AD trust Across NAT
- From: Ace Fekay [MVP]
- Re: Setting up AD trust Across NAT
- References:
- Re: Setting up AD trust Across NAT
- From: Ace Fekay [MVP]
- Re: Setting up AD trust Across NAT
- Prev by Date: Re: User Creation via HTA
- Next by Date: Re: DMZ webserver portal question
- Previous by thread: Re: Setting up AD trust Across NAT
- Next by thread: Re: Setting up AD trust Across NAT
- Index(es):
Relevant Pages
|
