Urgent - Windows 2003 Trust and NAT
Hi,
I have a windows 2003 forest that is behind a NAT firewall. I want to create
a trust relationship from mine forest to that one behind the firewall. I have
created a stub zone in my forest but it doesnt work.
How can i configure this trust? Any ideas?
TIA,
Clemente
Portugal
Re: Urgent - Windows 2003 Trust and NAT
In article
<1D67B10A-A9A7-43DC-8C5F-CBD277CBBB81@microsoft.com>clemente
<clemente@discussions.microsoft.com> wrote:
> Hi,
>
> I have a windows 2003 forest that is behind a NAT firewall. I want
> to create a trust relationship from mine forest to that one behind
> the firewall. I have created a stub zone in my forest but it doesnt
> work.
> How can i configure this trust? Any ideas?
>
I'm probably mistaken, but I don't believe that the trust will work
when NAT is involved. You *may* be able to establish static NAT
(1-to-1) mappings for the DCs in your forest and get the trust to work
that way, but I'm still thinking that you'll run into problems down
the road.
Regards,
Scott
--
I'm trying a new usenet client for Mac, Nemo OS X.
You can download it at http://www.malcom-mac.com/nemo
Re: Urgent - Windows 2003 Trust and NAT
If you have a firewall between two forests you need to make sure you have
the proper ports opened so communications between the two forests can occur.
You can either open up individual ports and there are many -or- you can
establish a vpn connection between the two. I am unclear as to how you have
established your communications but I would recommend you set up a vpn.
If you decide to open up individual ports see my web site article on ports
needed
http://www.pbbergs.com
Select articles and click on firewall ports needed for replication.
As far as dns goes I usually just setup up secondaries of each other's
forest
http://expertanswercenter.techtarget...104911,00.html
--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
"clemente" <clemente@discussions.microsoft.com> wrote in message
news:1D67B10A-A9A7-43DC-8C5F-CBD277CBBB81@microsoft.com...
> Hi,
>
> I have a windows 2003 forest that is behind a NAT firewall. I want to
> create
> a trust relationship from mine forest to that one behind the firewall. I
> have
> created a stub zone in my forest but it doesnt work.
>
> How can i configure this trust? Any ideas?
>
> TIA,
>
> Clemente
> Portugal
Re: Urgent - Windows 2003 Trust and NAT
Hi,
Thanks for your answer. But the problem here is that the firewall is in NAT
mode. The DNS server that is published trough the firewall returns inside IP
addresses to DNS queries.
Is the only solution the VPN? But a site-to-site VPN?
Why cant i find some hints to these problem? Nobody has done this before?
If i make a VPN between the two DCs of the different forests theres a
security breach. The dc can access entire network trough that vpn.
Can u give some sites so i can see how to configura the VPN in this cenario?
Will i use IPSec tunnel? L2tp?
I just want to make an external trust between forests. No Active Directory
replication will take place between the two forests. I just want one AD
forest to use the other for authentication purpose.
TIA,
Clemente
Portugal
"Paul Bergson [MVP-DS]" wrote:
> If you have a firewall between two forests you need to make sure you have
> the proper ports opened so communications between the two forests can occur.
> You can either open up individual ports and there are many -or- you can
> establish a vpn connection between the two. I am unclear as to how you have
> established your communications but I would recommend you set up a vpn.
>
> If you decide to open up individual ports see my web site article on ports
> needed
> http://www.pbbergs.com
> Select articles and click on firewall ports needed for replication.
>
> As far as dns goes I usually just setup up secondaries of each other's
> forest
> http://expertanswercenter.techtarget...104911,00.html
>
> --
> Paul Bergson
> MVP - Directory Services
> MCT, MCSE, MCSA, Security+, BS CSci
> 2003, 2000 (Early Achiever), NT
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
> "clemente" <clemente@discussions.microsoft.com> wrote in message
> news:1D67B10A-A9A7-43DC-8C5F-CBD277CBBB81@microsoft.com...
> > Hi,
> >
> > I have a windows 2003 forest that is behind a NAT firewall. I want to
> > create
> > a trust relationship from mine forest to that one behind the firewall. I
> > have
> > created a stub zone in my forest but it doesnt work.
> >
> > How can i configure this trust? Any ideas?
> >
> > TIA,
> >
> > Clemente
> > Portugal
>
>
>
Re: Urgent - Windows 2003 Trust and NAT
What do you mean a security violation. The key word in this is "Trust." If
you don't trust one side then don't establish the trust or make it a one way
trust.
--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
"clemente" <clemente@discussions.microsoft.com> wrote in message
news:C48B19F5-1494-43DF-8C1D-B40695BC4164@microsoft.com...
> Hi,
>
> Thanks for your answer. But the problem here is that the firewall is in
> NAT
> mode. The DNS server that is published trough the firewall returns inside
> IP
> addresses to DNS queries.
>
> Is the only solution the VPN? But a site-to-site VPN?
> Why cant i find some hints to these problem? Nobody has done this before?
>
> If i make a VPN between the two DCs of the different forests theres a
> security breach. The dc can access entire network trough that vpn.
> Can u give some sites so i can see how to configura the VPN in this
> cenario?
> Will i use IPSec tunnel? L2tp?
>
> I just want to make an external trust between forests. No Active Directory
> replication will take place between the two forests. I just want one AD
> forest to use the other for authentication purpose.
>
> TIA,
>
> Clemente
> Portugal
>
> "Paul Bergson [MVP-DS]" wrote:
>
>> If you have a firewall between two forests you need to make sure you have
>> the proper ports opened so communications between the two forests can
>> occur.
>> You can either open up individual ports and there are many -or- you can
>> establish a vpn connection between the two. I am unclear as to how you
>> have
>> established your communications but I would recommend you set up a vpn.
>>
>> If you decide to open up individual ports see my web site article on
>> ports
>> needed
>> http://www.pbbergs.com
>> Select articles and click on firewall ports needed for replication.
>>
>> As far as dns goes I usually just setup up secondaries of each other's
>> forest
>> http://expertanswercenter.techtarget...104911,00.html
>>
>> --
>> Paul Bergson
>> MVP - Directory Services
>> MCT, MCSE, MCSA, Security+, BS CSci
>> 2003, 2000 (Early Achiever), NT
>>
>> http://www.pbbergs.com
>>
>> Please no e-mails, any questions should be posted in the NewsGroup
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>> "clemente" <clemente@discussions.microsoft.com> wrote in message
>> news:1D67B10A-A9A7-43DC-8C5F-CBD277CBBB81@microsoft.com...
>> > Hi,
>> >
>> > I have a windows 2003 forest that is behind a NAT firewall. I want to
>> > create
>> > a trust relationship from mine forest to that one behind the firewall.
>> > I
>> > have
>> > created a stub zone in my forest but it doesnt work.
>> >
>> > How can i configure this trust? Any ideas?
>> >
>> > TIA,
>> >
>> > Clemente
>> > Portugal
>>
>>
>>