Re: DNS for trusts between separate private forests accross the Intern

In news:5A78015F-85E4-45BB-A775-A1F2618BD838@xxxxxxxxxxxxx,
Michael <Michael@xxxxxxxxxxxxxxxxxxxxxxxxx> stated, and I replied below:

I'm trying to establish a trust relationship between two separate
(private) Windows 2003 native forests that could reach each other via
the internet (no wan). Ultimate goal is to have users from either
domain access resources on both domains.

Both domains have domain controllers reachable via a public IP
address, but neither domain (domA.domain.com, domB.domain.com) is
registered in the public internet as they should remain private. Both
domains are in separate forests (unfortunately, that's the way they
were installed)

When I try to establish a trust between them using AD Doms & Trusts ,
neither can find the domain controller in the other domain to
establish it. I assume I need to add entries to DNS in both DCs. How
do I setup DNS so that that other domain controller can be found via
its public IP address? Both DCs are under our control so we can
change DNS freely on both.

(any specific port that need to be open on the firewall??)

Many thanks!

This is a loaded question. First, there are over 30 ports for AD communication besides the emphircal UDP > 1024 response ports. Can you say Swiss cheese firewall?

Second, a secondary copy of each other's zone need to exist in each other so they can resolve each other in a true Windows 2003 Forest trust (if both sides are Win2003 Full functional mode forests). Otherwise if the forests are not in Win 2003 Full Functional Mode, your only option is creating an NTLM trust between specific domains, which in that case, LMHOSTS entries, or better yet, WINS replication partners between your offices.

Third, It's not really practical to do this across the Internet as you are trying. The best way to establish communication to make this work is to establish an L2TP VPN between your offices. Besides, LDAP, Kerberos and RPC traffic cannot traverse a NAT if either office is using NAT. If the NAT device (such as a Netscreen, PIX, etc) is the endpoint of your VPN tunnel, no problem, it will work, but traffic directly thru it will not.

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services
Infinite Diversities in Infinite Combinations.
================================= 

.

Relevant Pages

  • Server 2003 R2 Internet help. please very important
    ... I am running a domain controller on a windows 2003 r2 server, ... out the internet along with the domain controller rules, ...
    (microsoft.public.windows.server.general)
  • Re: Adding a win2003 DC to win2k forest
    ... to have a backup of AD and DNS and so our internal users still have Internet ... > Here is a good guide on how to upgrade Windows 2000 domain to Windows ... >> domain controller to our existing win2k DC's. ...
    (microsoft.public.windows.server.general)
  • How do I keep a specific user(s) from accessing the internet?
    ... Windows XP Professional on a home network. ... No domain controller. ... How do I keep certain users from accessing the internet, ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Internet Explorer will not browse the Internet at all
    ... Dave Patrick ....Please no email replies - reply in newsgroup. ... Microsoft MVP [Windows] ... | programs applet in control panel, and we can't get on the Internet. ...
    (microsoft.public.win2000.general)
  • Re: One-way trust, Kerberos & IIS
    ... The forest of Domain A is at best Windows 2000 native. ... If you want a trust that supports Kerberos ... you need W2k3 mode forests and a forest-level trust. ... Domain A authentication appears to be using the fall back of NTLM. ...
    (microsoft.public.inetserver.iis.security)