Re: Domain Trust in a NAT envir.

From: Andrei Ungureanu (AndreiUngureanu_at_discussions.microsoft.com)
Date: 11/02/04 

Date: Tue, 2 Nov 2004 08:17:05 -0800

My advice is: GO AND CHANGE THE IPs ! .... otherwise you'll complicate your
life for nothing ... and tunneling I don't think is a solution in this case.

Paul's ideea with ISA and publishing sounds good...

Andrei Ungureanu
www.eventid.net
Free Windows event logs reports
http://www.altairtech.ca/evlog/

"Network Admin" wrote:

> What is driving the need for NAT is that several of the member Clinics (more
> then 6) are using the same IP range. Instead of having everybody have to
> re-IP, NAT'ing was installed as a solution before I started without an
> thought to AD.
>
> Thanks for everybodies reply.
>
> "Andrei Ungureanu" wrote:
>
> > please explain why you need NAT ... and not route ?
> >
> > Andrei Ungureanu
> > www.eventid.net
> > Free Windows event logs reports
> > http://www.altairtech.ca/evlog/
> >
> > "ptwilliams" wrote:
> >
> > > Ah yes, of course tunneling will work. I should have mentioned that <blush>
> > >
> > > I'm interested in how you implemented it mind, as most people simply state a
> > > flat no. What kind of 'fiddling' did you have to do??
> > >
> > > --
> > >
> > > Paul Williams
> > >
> > > http://www.msresource.net/
> > > http://forums.msresource.net/
> > >
> > >
> > > "gordonah" wrote:
> > >
> > > > I'm not sure about a trust, but I've had AD replication working across a NAT
> > > > gateway (DCs of same domain on either side).
> > > > Had to PPTP to tunnel connections and do a lot of fiddly work with the
> > > > routing tables on the servers and DNS (how you wanted an address to resolve
> > > > was dependant on where you were resolving it from!), but it did work.
> > > > This was in W2K, so, hopefully, it will be a bit easier in W2K3 as MS did a
> > > > bit of work in this area.
> > > >
> > > > "ptwilliams" wrote:
> > > >
> > > > > I'm not sure a trust would work across NAT; AD won't ordinarily. I would
> > > > > think a trust cannot as well, as a trust depends on SRV record resolution.
> > > > >
> > > > > One way of doing this would be using ISA server. You could publish (via a
> > > > > server publishing rule) the internal DCs to a destination set of the other
> > > > > DCs.
> > > > >
> > > > > Just a thought...
> > > > >
> > > > >
> > > > > --
> > > > >
> > > > > Paul Williams
> > > > >
> > > > > http://www.msresource.net
> > > > > http://forums.msresource.net
> > > > > ______________________________________
> > > > > "Network Admin" <Network Admin@discussions.microsoft.com> wrote in message
> > > > > news:1600D7DF-7D4E-4AB3-845C-8DD710E2E9D0@microsoft.com...
> > > > > I'm trying to setup a one-way trust between our domain & a new member clinic
> > > > > that just joined our group. The hope is the member clinic would keep their
> > > > > own domain structure and management & I would just give them access to
> > > > > various resources.
> > > > >
> > > > > My Domain:
> > > > > organization.org
> > > > > Domain Functional level: Windows 2000 Mixed
> > > > > Forest Level Function: Windows 2000
> > > > > 10.0.0.20 & 10.0.0.21 AD Servers
> > > > >
> > > > > clinic.org
> > > > > Windows 2000 Mixed
> > > > >
> > > > > We are connected via a private T-1, but there is NAT'ing on the clinic side.
> > > > > (I have the appropriate NAT entries for the DC)
> > > > > Will I be able to setup a trust over a NAT'ed network? I'm having issue's
> > > > > with name resolution & unable to create the trust even with lhmost files.
> > > > > per http://support.microsoft.com/?id=180094
> > > > >
> > > > > What do I need to do to get this to work or will it work in a NAT'ed
> > > > > environment?
> > > > >
> > > > > Thanks & I appreciate any help.
> > > > >
> > > > > James
> > > > >
> > > > >
> > > > >

Relevant Pages
Loading