Re: DNS for trusts between separate private forests accross the Intern
- From: "Ace Fekay [MVP]" <PleaseSubstituteMyActualFirstName&LastNameHere@xxxxxxxxxxx>
- Date: Fri, 24 Jun 2005 00:26:34 -0400
In news:5A78015F-85E4-45BB-A775-A1F2618BD838@xxxxxxxxxxxxx, Michael <Michael@xxxxxxxxxxxxxxxxxxxxxxxxx> stated, and I replied below:
I'm trying to establish a trust relationship between two separate (private) Windows 2003 native forests that could reach each other via the internet (no wan). Ultimate goal is to have users from either domain access resources on both domains.
Both domains have domain controllers reachable via a public IP address, but neither domain (domA.domain.com, domB.domain.com) is registered in the public internet as they should remain private. Both domains are in separate forests (unfortunately, that's the way they were installed)
When I try to establish a trust between them using AD Doms & Trusts , neither can find the domain controller in the other domain to establish it. I assume I need to add entries to DNS in both DCs. How do I setup DNS so that that other domain controller can be found via its public IP address? Both DCs are under our control so we can change DNS freely on both.
(any specific port that need to be open on the firewall??)
This is a loaded question. First, there are over 30 ports for AD communication besides the emphircal UDP > 1024 response ports. Can you say Swiss cheese firewall?
Second, a secondary copy of each other's zone need to exist in each other so they can resolve each other in a true Windows 2003 Forest trust (if both sides are Win2003 Full functional mode forests). Otherwise if the forests are not in Win 2003 Full Functional Mode, your only option is creating an NTLM trust between specific domains, which in that case, LMHOSTS entries, or better yet, WINS replication partners between your offices.
Third, It's not really practical to do this across the Internet as you are trying. The best way to establish communication to make this work is to establish an L2TP VPN between your offices. Besides, LDAP, Kerberos and RPC traffic cannot traverse a NAT if either office is using NAT. If the NAT device (such as a Netscreen, PIX, etc) is the endpoint of your VPN tunnel, no problem, it will work, but traffic directly thru it will not.
-- Regards, Ace
Please direct all replies ONLY to the Microsoft public newsgroups so all can benefit.
This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.
Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services
Infinite Diversities in Infinite Combinations.
- Prev by Date: Re: internet lookups go to wrong DNS server
- Next by Date: Re: Server Name
- Previous by thread: DNS for trusts between separate private forests accross the Intern
- Next by thread: Re: DNS for trusts between separate private forests accross the In