DNS for trusts between separate private forests accross the Intern

Discussion in 'DNS Server' started by Michael, Jun 22, 2005.

  1. Michael

    Michael Guest

    I'm trying to establish a trust relationship between two separate (private)
    Windows 2003 native forests that could reach each other via the internet (no
    wan). Ultimate goal is to have users from either domain access resources on
    both domains.

    Both domains have domain controllers reachable via a public IP address, but
    neither domain (domA.domain.com, domB.domain.com) is registered in the public
    internet as they should remain private. Both domains are in separate forests
    (unfortunately, that's the way they were installed)

    When I try to establish a trust between them using AD Doms & Trusts ,
    neither can find the domain controller in the other domain to establish it. I
    assume I need to add entries to DNS in both DCs. How do I setup DNS so that
    that other domain controller can be found via its public IP address? Both DCs
    are under our control so we can change DNS freely on both.

    (any specific port that need to be open on the firewall??)

    Many thanks!
    Michael, Jun 22, 2005
    1. Advertisements

  2. In
    This is a loaded question. First, there are over 30 ports for AD
    communication besides the emphircal UDP > 1024 response ports. Can you say
    Swiss cheese firewall?

    Second, a secondary copy of each other's zone need to exist in each other so
    they can resolve each other in a true Windows 2003 Forest trust (if both
    sides are Win2003 Full functional mode forests). Otherwise if the forests
    are not in Win 2003 Full Functional Mode, your only option is creating an
    NTLM trust between specific domains, which in that case, LMHOSTS entries, or
    better yet, WINS replication partners between your offices.

    Third, It's not really practical to do this across the Internet as you are
    trying. The best way to establish communication to make this work is to
    establish an L2TP VPN between your offices. Besides, LDAP, Kerberos and RPC
    traffic cannot traverse a NAT if either office is using NAT. If the NAT
    device (such as a Netscreen, PIX, etc) is the endpoint of your VPN tunnel,
    no problem, it will work, but traffic directly thru it will not.


    Please direct all replies ONLY to the Microsoft public newsgroups
    so all can benefit.

    This posting is provided "AS-IS" with no warranties or guarantees
    and confers no rights.

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
    Microsoft Windows MVP - Windows Server - Directory Services
    Infinite Diversities in Infinite Combinations.
    Ace Fekay [MVP], Jun 24, 2005
    1. Advertisements

  3. Michael

    Michael Guest

    Ok - that makes sense. Swiss cheese is good on a sandwich but not a firewall.
    And yes, NAT is turned on, but the DNS servers also have a public IP address
    so that should be ok, no? They can actually 'see' both ways, including the
    private IP space.

    The VPN alternative appears a lot safer... So I'll create a firewall to
    firewall VPN tunnel, no problem. Now I have two separate subnets in the
    private IP space in two different forests that could talk to each other.

    If I create stub zones of each other, they should should be able to find
    each other, right? Or would it be better to use secondary zone or conditional
    forwarding? Both domains are Windows 2003 full functional mode.

    Many Thx!
    Michael, Jun 27, 2005
  4. In
    Public addresses? For the same zone records?

    Actually it isn't really ok mixing private and public data like that. It
    will cause problems with SOA records, and resolution. What are your
    intentions mixing public and private data? Can you elaborate please?
    It can work using either method. Stubs and forwarders generate WAN
    resolution traffic. Secondaries don't, but they create zone transfer
    traffic, but probably not as much traffic as stubs or forwarding. Your
    No prob... :)

    Ace Fekay [MVP], Jun 28, 2005
  5. Michael

    Michael Guest

    What are your
    This is a small installation and it just so happens that one of the servers
    (one of the DCs) also runs a public facing small, internal use, sharepoint
    site so that employees can get to files and calendars from it over the
    weekend, without VPN clients. The firewall is set to map a fixed external IP
    to the internal address. This is a very small remote office that was recently
    integrated into the main company and houses some resources that now need to
    be accessed by users in the other offices as well. They do not have a
    registered public domain space at all, and the external IPS are only used for
    sharepoint and some FTP.

    I thought it would be easiest to set up a trust between them so that we
    don't have to create multiple userids for all users in different domain
    forests, or reinstall all internal applications servers to integrate them
    into one of the other remote but private domains.
    Michael, Jun 28, 2005
  6. In
    I see, makes sense. The VPN should help you out there. Let us know how you
    make out.

    Ace Fekay [MVP], Jun 28, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.