RE: Trusting external domain

Joe,
I had a similar issue. There is likely be a better, and more correct way,
but this worked for me. If anyone has a better way, I would be interested in
hearing it too :)

Assumptions:
You are using 2000 or 2003 domains.
Firewall is ANY <-> ANY (all ports open, both ways), or correct ports open
from DMZ to internal (see end of message).

Go into the primary zone (active directory-integrated) in each domain and
allow zone transfers to the IP's on the other domain's DNS servers.

Create secondary DNS zones in each domain for the other domain (eg: domain
123.abc.com has a zone record for 456.abc.com, and vice verse). Point them to
the DNS server in the other domain.

Once you have verified that your secondary zones have pulled all of the DNS
info, try testing your trust connectivity again.


Here is an article on the ports that need to be open (you may want to close
down your firewall access from the DMZ to your internal domain). They do not
mention it, but I discovered, that if you get long login times when terminal
servicing into servers in the trusting domain, you will also want to open TCP
port 1026.
http://support.microsoft.com/kb/q179442/

Good luck!
-Ryan

"Joe" wrote:

> I have a domain that I put in a dmz. This domain is 123.abc.com. The
> internal domain is 456.abc.com. I did not make this a child domain as it is
> in the dmz and I am worried about security issues. I am looking to make a
> one way trust so that the DMZ domain trusts the internal domain.
>
> I have DNS running in the DMZ controller but I can't get the domains to talk
> to each other. Neither of them know how to talk. I think that it is a
> DNS issue but I am not sure. My access lists for the firewall are allowing
> all traffic so I don't see that as an issue. Any insight would be
> appreciated
.

Relevant Pages

  • Re: dns + firewall?
    ... DMZ for DNS? ... Local computers will not be able to use the DNS in the DMZ for DNS because ... That being said, in the DNS server for the internal LAN, create a zone named ...
    (microsoft.public.win2000.dns)
  • Re: dns + firewall?
    ... > DMZ for DNS? ... > If www.company.com is the only name you need to access on the DMZ server, ... > would create a zone for that name, ...
    (microsoft.public.win2000.dns)
  • Re: Internal/External domains different.
    ... >> I want to entirely hide or internal domain name as it is ... How can I get rid of the NetBIOS name? ... Is DNS on a Domain ... > the zone is stored in AD you can't change it because when the zone ...
    (microsoft.public.win2000.dns)
  • Re: Split DNS
    ... The zone on the external DMZ network ... >internet. ... The other zone will be in the internal network ... probably best to do this either using different DNS software ...
    (microsoft.public.windows.server.dns)
  • Re: Choice of DNS version in mixed Windows NT 4 domain Environment
    ... > know that I have to set up a internal Win 2k DNS server. ... > The DNS server will only be for internal clients to use the correct URL ... So manually add those (external or DMZ) addresss to the ... external resource in the same zone, ...
    (microsoft.public.windows.server.dns)