Trust Requirements -- PDC to PDC Only?

Discussion in 'Active Directory' started by John Liles, Jan 14, 2009.

  1. John Liles

    John Liles Guest

    I have a question on trusts; specifically, do all DCs in both domains need to
    be able to communicate, or just the PDC emulator on each side of the trust?

    The background to this question is that my company (Company A) has been
    bought by Company B and we need to set up a trust between the two AD domains.
    Complicating matters is that our main set of subnets conflicts with some
    used by Company B. For example, our DCs are on subnet 10.11.x.x; for Company
    B, that would route to Japan.

    We're exploring various workarounds, and already know that NAT is not viable
    for setting up a trust. One possible solution the network guys are looking
    at is setting up static routing for individual IP addresses of DCs. Which
    leads to my original question: if we go that way, would a static route to
    our PDC emulator satisfy the communication requirements for a trust; or would
    we need static routes for each of our DCs?

    Thanks for any insights!
     
    John Liles, Jan 14, 2009
    #1
    1. Advertisements

  2. Trusts are between domain or forests,...not PCs.

    "Somebody" is going to have to re-address their segments. Whoever has the
    smallest number of machines in the conflicting subnet should be the one to
    switch typically, since that would be the least work.

    It might be easier to do that by creating a new segment first and then move
    machines into the new subnet a few at a time by shifting the patch cables at
    the Patch Panel (assuming you use one of those).
    DHCP Clients will adjust automatically if a DHCP Scope is properly prepared.
    Statically assigned machines will need manual adjustment just before the
    cable switch. Doing them a few at a time keeps down the "mess" and is
    easier to "keep your head around" where you are at.

    Once there are no machines left in the old segment it can be removed.

    When the IP mess is cleaned up the do Zone Transfers between one DC in one
    system with one DC in the other system. You only need one DC from each side
    for the Transfer,...AD Replication will take care of the rest. This makes
    both LANs aware of the opposite LAN's "Naming". Then setup the Trust
    between the Forests (not domains, not DCs, not PCs,...it is Forests).

    As a substitute for Zone Transfers you might be able to use Conditional
    Forwarders instead.

    Do *not* do the Zone Transfers or Conditional Forwarders before the IP mess
    is cleaned up.
    Stub Zones would be less susceptable to IP conflicts since there are far
    fewer DNS Records copied. MS's site should have plenty of articles for
    determining the right approach to the Transfers and the best type of Zone to
    choose in your situation.

    --
    Phillip Windell
    www.wandtv.com

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
     
    Phillip Windell, Jan 14, 2009
    #2
    1. Advertisements

  3. Meinolf Weber [MVP-DS], Jan 14, 2009
    #3
  4. John Liles

    John Liles Guest

    Meinolf and Phillip -- thanks for the informative responses.

    In an ideal world, we would in fact revamp our network subnets prior to
    going forward with the trust. In the real world, unfortunately, our madate
    from on high is to get this in place by Friday! Haha! Re-IPing more than
    20,000 hosts (static and DHCP) and routers will be a long-term project. So
    we have no choice but to pursue the static route mapping option for our DCs.
    Hopefully, the parent company will be able to allocate those addresses
    without conflict.

    Thanks again.
     
    John Liles, Jan 14, 2009
    #4
  5. John Liles

    Jorge Silva Guest

    Hi
    With that amount of servers/workstations, I'm sure that in the future you'll
    need to reconsider... Trusts are useful to allow access outside Forest
    resources, so, when the users start to use Apps that need to contact those
    DCs outside your forest, you'll spend the rest of the month doing static
    mappings for each app/server that needs that.
    --
    I hope that the information above helps you.
    Have a Nice day.

    Jorge Silva
    MCSE, MVP Directory Services

    Please no e-mails, any questions should be posted in the NewsGroup
    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Jorge Silva, Jan 14, 2009
    #5
  6. I know, but that doesn't matter. Computers and networking systems don't care
    about perfect worlds and real worlds, and they most certainly don't care
    about excutive's deadlines and mandates. The real "power" lies in the *Real
    World* requirements of the Networking system which trumps the wishes of the
    Executives. The details I listed are the *real world*,...what the Excutives
    want is the fantasy,...that is just the way it is.

    By not standing up for yourself you are letting them push you into an
    un-winnable situation where it is you that is going to loose and look like a
    failure. In a worse case you could be fired for failing in something that
    you could have never ever "won" in the first place because you didn't force
    them to understand that what they wanted was unattainable on their terms. I
    don't mean be a smart-aleck with them,...be respectful,...but they have to
    know the truth. At least then if they still force what they want and it
    fails then they were "warned" and can't blame you, but rather have to tell
    you that you were right.

    One thing I am "famous" for where I work is telling people,...no matter who
    they are,... "It doesn't work like that!",...when it doesn't work like
    that,.... and telling them that they need to do things "the way it *does*
    work".. No doubt I have ticked people off in the groups for doing the same
    thing here, but that is the way it is.


    --
    Phillip Windell
    www.wandtv.com

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
     
    Phillip Windell, Jan 14, 2009
    #6
  7. Hello John,

    AS mentioned from Jorge and Philipp, try to give your boss the reason why
    not do it in a hurry. Especially in this size of network you have a good
    planning/design will save you time and i think also money (that's allways
    a point for the boss) in the future.

    Best regards

    Meinolf Weber
     
    Meinolf Weber [MVP-DS], Jan 14, 2009
    #7
  8. John Liles

    John Liles Guest

    Great, that's just what I need right now, a lecture on standing up to my
    managers. Maybe I should just threaten to quit my job, that'd show 'em!

    I used to be like you, Phillip, until I learned that I'm working in the
    dilbertzone. My logical explanations of best practices and "it doesn't work
    like that" showed up in my annual reviews as "uncooperative," "not a good
    team player," "doesn't think outside the box." That's what I'm "famous for"
    where I work. My manager actually interrupted me in one of these discussions
    to tell me "nobody cares what you think." So until the economy gets to a
    point where I can look for a job where someone with my knowledge and training
    gets actual respect, I'm doing what I'm told, whether it's a good idea or not.

    Sorry to be so pissy, but you haven't got the slightest clue what I'm up
    against here.
     
    John Liles, Jan 15, 2009
    #8
  9. I will "try" to answer your question as best I know how further
    below,....continued...

    I'm just trying to encourage a fellow IT to not dig a grave he can't get out
    of.

    I couldn't have *had* a clue about your situation since you didn't go into
    any more details about that until *this* post? All you said in the previous
    post was that they gave an unrealistic deadline.
    We had that here before too,....the manager that said that eventually
    left,...and at the next job was fired and was escorted out by the police.
    His "day" finally came and no one cared what he thought either. When
    someone doesn't care what someone else thinks they "wear out their welcome"
    and eventually no one cares what they think. I've got the "think outside
    the box" crap before too (no surprise),...my response was something like,
    "if you have to think outside your box, then you've got the wrong
    box",...and those people are gone now too.

    Anyway,..that accomplishes nothing, so let's look at the problem....

    (uuck, I'm gonna hate this, may even miss some details,... buyer
    beware,...here goes...)
    The Static Local Routes,...ok,...yes you can do that but there are other
    things that go along with that. It should be done so that all DCs can route
    between all other DCs. You also have to do this on every other involved
    machine,...workstation, laptop, and even possibly some networking devices
    (I don't know all the details of your situation).

    You have to get the DNS to be "aware" of the opposite AD/DNS structure of
    the opposite side,...while at the same time having it not become "aware" of
    any IP Conflicts (of which are many). You can do this with a Stub Zone
    (only contains DCs) in a Zone Transfer between one of their DNSs and one of
    your DNSs (only one on each side, replication does the rest). You will not
    be able to do a Standard Non-AD Zone or even Conditional Forwarders because
    of IP conficts out the wazzoo. I don't remember if you can manually add A
    Records to a Stub Zone or not but you'll have to do something to cover the
    other non-DC Hosts involved or you're stuck with using IP#s only. Apart
    from doing that, your only option would be properly crafted Host Files. I
    never use those and can't remember for sure,...but there may be additional
    details in those files that apply to DCs that are different from just normal
    hosts.

    Now with resolution taken care of,...you have to eliminate IP Conficts of
    all involved machines. Yes, that will involved other machines besides the
    DCs. Why? Because what good is a Trust if you aren't giving permissions to
    Resources on one Domain to Hosts & Users on the other Domain. So the
    Machine providing the Resource has to be covered and so do the machines
    accessing the Recource. So this means both sides of this are going to have
    to inventory all the IP# involved on all the machines involved and eliminate
    any conflicts, which means there will be IP#s from your LAN that you will
    never be able to use and they will have IP from their LAN that they can
    never use any longer. The bottom line there is that the only machines that
    *can* have IP conflicts are machines that never contact or in anyway ever
    communicate with the other LAN and the DNS methods I describe keep the
    conflicts a "secret" from those machines so they never get confused over
    them.

    Oh, and there are the possible inconsistant MAC Tables on any involved
    Switches. Sorry, I don't know what could happen there,...probably just
    screwed. But I could be wrong.

    Now assuming all this is taken care of and sorted out,...now you can create
    the Trust between the two Forests and hope the Switches between them don't
    ARP to the wrong place (after all the same IP could have more than one MAC
    *now*).
    Yes, I'd be getting out of there as soon as I could too. If they are going
    to be that incompetent in how they treat and respect their IT,...they are
    probably equally incompetent in other business areas as well. They will
    probably go out of business because of it unless someone else buys them out
    and fires the middle management (which is very common) and maybe even the
    upper management. Although I don't think I had it as bad as you, I've have
    been through two Corp buyouts and I've outlasted all those that wouldn't
    listen to me.

    You ain't alone,...probably everyone here has either been through situations
    like that or are going through them now,...you're in good company here..

    --
    Phillip Windell
    www.wandtv.com

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
     
    Phillip Windell, Jan 15, 2009
    #9
  10. It's a gift, ...or maybe a curse :)
    It might be just ones with certain FSMO roles, but I have to admit I don't
    know for sure. I think I would feel much better about it if they all saw
    each other.


    --
    Phillip Windell
    www.wandtv.com

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
     
    Phillip Windell, Jan 16, 2009
    #10
  11. John Liles

    John Liles Guest

    Phillip --

    I haven't been able to visit this forum for a while due to insane workload,
    but I wanted to thank you for not only bearing with my prior tirade but
    providing a detailed response on the proposed nightmare scenario.

    You'll be happy to know that due to pushback from the new parent company on
    the static routing solution, management has seen the light and we're going to
    re-IP all our DCs. And they're giving us four whole weeks to accomplish this
    (including DHCP overhaul, reconfiguration of DNS settings on 800+ statically
    configured servers, etc.)!

    Thanks again for the input!
     
    John Liles, Jan 23, 2009
    #11
  12. John Liles

    John Liles Guest

    Phillip/Bob --

    We ended up opening a quick incident with Microsoft, who advised us that all
    DCs have to see each other, not just FSMO owners.
     
    John Liles, Jan 23, 2009
    #12
  13. Excellent! Really Excellent!

    Inspite of some jerks out there in management,...I do believe that most
    management people want to do things the right way or at least "generally"
    the right way. Sometimes it just takes a bold IT person to stand up to them
    and be persistent in trying to explain the situation to them.

    Glad to hear it took a turn for the good.

    --
    Phillip Windell
    www.wandtv.com

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
     
    Phillip Windell, Jan 23, 2009
    #13
  14. John Liles

    John Liles Guest

    This reminds me of a quote I saw the other day that gave me a chuckle:

    "Nothing is impossible for those who won't be doing the work."
     
    John Liles, Jan 23, 2009
    #14
  15. LOL
    I'll have to remember that one!


    --
    Phillip Windell
    www.wandtv.com

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
     
    Phillip Windell, Jan 23, 2009
    #15
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.