Go Back   TechArena Community > Technical Support > Computer Help > Windows Server > Active Directory
Become a Member!
Forgot your username/password?
Register Tags Active Topics RSS Search Mark Forums Read

Sponsored Links



Urgent - Windows 2003 Trust and NAT

Active Directory


Reply
 
Thread Tools Search this Thread
  #1  
Old 10-07-2007
clemente
 
Posts: n/a
Urgent - Windows 2003 Trust and NAT

Hi,

I have a windows 2003 forest that is behind a NAT firewall. I want to create
a trust relationship from mine forest to that one behind the firewall. I have
created a stub zone in my forest but it doesnt work.

How can i configure this trust? Any ideas?

TIA,

Clemente
Portugal

Reply With Quote
  #2  
Old 10-07-2007
Scott Lowe
 
Posts: n/a
Re: Urgent - Windows 2003 Trust and NAT

In article
<1D67B10A-A9A7-43DC-8C5F-CBD277CBBB81@microsoft.com>clemente
<clemente@discussions.microsoft.com> wrote:

> Hi,
>
> I have a windows 2003 forest that is behind a NAT firewall. I want
> to create a trust relationship from mine forest to that one behind
> the firewall. I have created a stub zone in my forest but it doesnt
> work.
> How can i configure this trust? Any ideas?
>

I'm probably mistaken, but I don't believe that the trust will work
when NAT is involved. You *may* be able to establish static NAT
(1-to-1) mappings for the DCs in your forest and get the trust to work
that way, but I'm still thinking that you'll run into problems down
the road.

Regards,
Scott

--
I'm trying a new usenet client for Mac, Nemo OS X.
You can download it at http://www.malcom-mac.com/nemo

Reply With Quote
  #3  
Old 10-07-2007
Paul Bergson [MVP-DS]
 
Posts: n/a
Re: Urgent - Windows 2003 Trust and NAT

If you have a firewall between two forests you need to make sure you have
the proper ports opened so communications between the two forests can occur.
You can either open up individual ports and there are many -or- you can
establish a vpn connection between the two. I am unclear as to how you have
established your communications but I would recommend you set up a vpn.

If you decide to open up individual ports see my web site article on ports
needed
http://www.pbbergs.com
Select articles and click on firewall ports needed for replication.

As far as dns goes I usually just setup up secondaries of each other's
forest
http://expertanswercenter.techtarget...104911,00.html

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"clemente" <clemente@discussions.microsoft.com> wrote in message
news:1D67B10A-A9A7-43DC-8C5F-CBD277CBBB81@microsoft.com...
> Hi,
>
> I have a windows 2003 forest that is behind a NAT firewall. I want to
> create
> a trust relationship from mine forest to that one behind the firewall. I
> have
> created a stub zone in my forest but it doesnt work.
>
> How can i configure this trust? Any ideas?
>
> TIA,
>
> Clemente
> Portugal



Reply With Quote
  #4  
Old 10-07-2007
clemente
 
Posts: n/a
Re: Urgent - Windows 2003 Trust and NAT

Hi,

Thanks for your answer. But the problem here is that the firewall is in NAT
mode. The DNS server that is published trough the firewall returns inside IP
addresses to DNS queries.

Is the only solution the VPN? But a site-to-site VPN?
Why cant i find some hints to these problem? Nobody has done this before?

If i make a VPN between the two DCs of the different forests theres a
security breach. The dc can access entire network trough that vpn.
Can u give some sites so i can see how to configura the VPN in this cenario?
Will i use IPSec tunnel? L2tp?

I just want to make an external trust between forests. No Active Directory
replication will take place between the two forests. I just want one AD
forest to use the other for authentication purpose.

TIA,

Clemente
Portugal

"Paul Bergson [MVP-DS]" wrote:

> If you have a firewall between two forests you need to make sure you have
> the proper ports opened so communications between the two forests can occur.
> You can either open up individual ports and there are many -or- you can
> establish a vpn connection between the two. I am unclear as to how you have
> established your communications but I would recommend you set up a vpn.
>
> If you decide to open up individual ports see my web site article on ports
> needed
> http://www.pbbergs.com
> Select articles and click on firewall ports needed for replication.
>
> As far as dns goes I usually just setup up secondaries of each other's
> forest
> http://expertanswercenter.techtarget...104911,00.html
>
> --
> Paul Bergson
> MVP - Directory Services
> MCT, MCSE, MCSA, Security+, BS CSci
> 2003, 2000 (Early Achiever), NT
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
> "clemente" <clemente@discussions.microsoft.com> wrote in message
> news:1D67B10A-A9A7-43DC-8C5F-CBD277CBBB81@microsoft.com...
> > Hi,
> >
> > I have a windows 2003 forest that is behind a NAT firewall. I want to
> > create
> > a trust relationship from mine forest to that one behind the firewall. I
> > have
> > created a stub zone in my forest but it doesnt work.
> >
> > How can i configure this trust? Any ideas?
> >
> > TIA,
> >
> > Clemente
> > Portugal

>
>
>

Reply With Quote
  #5  
Old 12-07-2007
Paul Bergson [MVP-DS]
 
Posts: n/a
Re: Urgent - Windows 2003 Trust and NAT

What do you mean a security violation. The key word in this is "Trust." If
you don't trust one side then don't establish the trust or make it a one way
trust.

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"clemente" <clemente@discussions.microsoft.com> wrote in message
news:C48B19F5-1494-43DF-8C1D-B40695BC4164@microsoft.com...
> Hi,
>
> Thanks for your answer. But the problem here is that the firewall is in
> NAT
> mode. The DNS server that is published trough the firewall returns inside
> IP
> addresses to DNS queries.
>
> Is the only solution the VPN? But a site-to-site VPN?
> Why cant i find some hints to these problem? Nobody has done this before?
>
> If i make a VPN between the two DCs of the different forests theres a
> security breach. The dc can access entire network trough that vpn.
> Can u give some sites so i can see how to configura the VPN in this
> cenario?
> Will i use IPSec tunnel? L2tp?
>
> I just want to make an external trust between forests. No Active Directory
> replication will take place between the two forests. I just want one AD
> forest to use the other for authentication purpose.
>
> TIA,
>
> Clemente
> Portugal
>
> "Paul Bergson [MVP-DS]" wrote:
>
>> If you have a firewall between two forests you need to make sure you have
>> the proper ports opened so communications between the two forests can
>> occur.
>> You can either open up individual ports and there are many -or- you can
>> establish a vpn connection between the two. I am unclear as to how you
>> have
>> established your communications but I would recommend you set up a vpn.
>>
>> If you decide to open up individual ports see my web site article on
>> ports
>> needed
>> http://www.pbbergs.com
>> Select articles and click on firewall ports needed for replication.
>>
>> As far as dns goes I usually just setup up secondaries of each other's
>> forest
>> http://expertanswercenter.techtarget...104911,00.html
>>
>> --
>> Paul Bergson
>> MVP - Directory Services
>> MCT, MCSE, MCSA, Security+, BS CSci
>> 2003, 2000 (Early Achiever), NT
>>
>> http://www.pbbergs.com
>>
>> Please no e-mails, any questions should be posted in the NewsGroup
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>> "clemente" <clemente@discussions.microsoft.com> wrote in message
>> news:1D67B10A-A9A7-43DC-8C5F-CBD277CBBB81@microsoft.com...
>> > Hi,
>> >
>> > I have a windows 2003 forest that is behind a NAT firewall. I want to
>> > create
>> > a trust relationship from mine forest to that one behind the firewall.
>> > I
>> > have
>> > created a stub zone in my forest but it doesnt work.
>> >
>> > How can i configure this trust? Any ideas?
>> >
>> > TIA,
>> >
>> > Clemente
>> > Portugal

>>
>>
>>



Reply With Quote
Reply

  TechArena Community > Technical Support > Computer Help > Windows Server > Active Directory
Tags: , , ,



Thread Tools Search this Thread
Search this Thread:

Advanced Search


Similar Threads for: "Urgent - Windows 2003 Trust and NAT"
Thread Thread Starter Forum Replies Last Post
Resize partition on Windows 2003 server urgent!!!! Jason Windows Server Help 9 28-06-2011 04:20 AM
Urgent Windows Vista INeedHelp20 Windows Software 1 26-07-2010 11:37 PM
Trust DriverMax or Windows ! Fason Windows Software 3 13-05-2009 12:47 PM
Trust Relationship between two Windows domain zuma.net Windows Server Help 7 16-04-2009 10:39 PM
product key for office 2003? -urgent- asistir Windows Software 1 28-08-2008 12:35 PM


All times are GMT +5.5. The time now is 11:26 PM.