Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Windows Server General Help » natted virtual machines losing trust relationship
natted virtual machines losing trust relationship [message #163572] Wed, 03 June 2009 13:29 Go to next message
Joey  is currently offline Joey  United States
Messages: 51
Registered: August 2009
Member
I got tons of natted virtual machines losing trust relationhsip with the
domain. any idea whats going on?
Re: natted virtual machines losing trust relationship [message #163574 is a reply to message #163572] Wed, 03 June 2009 14:22 Go to previous messageGo to next message
Phillip Windell  is currently offline Phillip Windell  United States
Messages: 526
Registered: July 2009
Senior Member
"Joey" <joey@joey.com> wrote in message
news:eEe4oDH5JHA.1716@TK2MSFTNGP03.phx.gbl...
>I got tons of natted virtual machines losing trust relationhsip with the
>domain. any idea whats going on?

Trusts are between Forests/Domains,...not machines

Domain Membership needs you to get rid of the NAT. It is not going to work
correctly over NAT.


--
Phillip Windell

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Re: natted virtual machines losing trust relationship [message #163579 is a reply to message #163574] Wed, 03 June 2009 14:36 Go to previous messageGo to next message
Joey  is currently offline Joey  United States
Messages: 51
Registered: August 2009
Member
but it works most of the time. outlook works behind nat. Are you saying I
should switch to bridge mode?
"Phillip Windell" <philwindell@hotmail.com> wrote in message
news:%23ucGMhH5JHA.4116@TK2MSFTNGP04.phx.gbl...
> "Joey" <joey@joey.com> wrote in message
> news:eEe4oDH5JHA.1716@TK2MSFTNGP03.phx.gbl...
>>I got tons of natted virtual machines losing trust relationhsip with the
>>domain. any idea whats going on?
>
> Trusts are between Forests/Domains,...not machines
>
> Domain Membership needs you to get rid of the NAT. It is not going to
> work correctly over NAT.
>
>
> --
> Phillip Windell
>
> The views expressed, are my own and not those of my employer, or
> Microsoft,
> or anyone else associated with me, including my cats.
> -----------------------------------------------------
>
>
Re: natted virtual machines losing trust relationship [message #163581 is a reply to message #163579] Wed, 03 June 2009 14:48 Go to previous messageGo to next message
Phillip Windell  is currently offline Phillip Windell  United States
Messages: 526
Registered: July 2009
Senior Member
That depends on the meaning of "bridged mode" in the context of the VM
Environment you are running. I always use VirtualPC,...there is no such
term as Bridged Mode in it,..but there is a NAT Mode.

Taking a stab at what it may mean in your context,...I'd say yes,..use that.

--
Phillip Windell

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------


"Joey" <joey@joey.com> wrote in message
news:uxncnoH5JHA.4632@TK2MSFTNGP02.phx.gbl...
> but it works most of the time. outlook works behind nat. Are you saying I
> should switch to bridge mode?
> "Phillip Windell" <philwindell@hotmail.com> wrote in message
> news:%23ucGMhH5JHA.4116@TK2MSFTNGP04.phx.gbl...
>> "Joey" <joey@joey.com> wrote in message
>> news:eEe4oDH5JHA.1716@TK2MSFTNGP03.phx.gbl...
>>>I got tons of natted virtual machines losing trust relationhsip with the
>>>domain. any idea whats going on?
>>
>> Trusts are between Forests/Domains,...not machines
>>
>> Domain Membership needs you to get rid of the NAT. It is not going to
>> work correctly over NAT.
>>
>>
>> --
>> Phillip Windell
>>
>> The views expressed, are my own and not those of my employer, or
>> Microsoft,
>> or anyone else associated with me, including my cats.
>> -----------------------------------------------------
>>
>>
>
>
Re: natted virtual machines losing trust relationship [message #163582 is a reply to message #163581] Wed, 03 June 2009 15:20 Go to previous messageGo to next message
Joey  is currently offline Joey  United States
Messages: 51
Registered: August 2009
Member
sorry dont mean to be a pain but why doesnt nat work well with domain?
"Phillip Windell" <philwindell@hotmail.com> wrote in message
news:eVs06vH5JHA.3968@TK2MSFTNGP03.phx.gbl...
> That depends on the meaning of "bridged mode" in the context of the VM
> Environment you are running. I always use VirtualPC,...there is no such
> term as Bridged Mode in it,..but there is a NAT Mode.
>
> Taking a stab at what it may mean in your context,...I'd say yes,..use
> that.
>
> --
> Phillip Windell
>
> The views expressed, are my own and not those of my employer, or
> Microsoft,
> or anyone else associated with me, including my cats.
> -----------------------------------------------------
>
>
> "Joey" <joey@joey.com> wrote in message
> news:uxncnoH5JHA.4632@TK2MSFTNGP02.phx.gbl...
>> but it works most of the time. outlook works behind nat. Are you saying I
>> should switch to bridge mode?
>> "Phillip Windell" <philwindell@hotmail.com> wrote in message
>> news:%23ucGMhH5JHA.4116@TK2MSFTNGP04.phx.gbl...
>>> "Joey" <joey@joey.com> wrote in message
>>> news:eEe4oDH5JHA.1716@TK2MSFTNGP03.phx.gbl...
>>>>I got tons of natted virtual machines losing trust relationhsip with the
>>>>domain. any idea whats going on?
>>>
>>> Trusts are between Forests/Domains,...not machines
>>>
>>> Domain Membership needs you to get rid of the NAT. It is not going to
>>> work correctly over NAT.
>>>
>>>
>>> --
>>> Phillip Windell
>>>
>>> The views expressed, are my own and not those of my employer, or
>>> Microsoft,
>>> or anyone else associated with me, including my cats.
>>> -----------------------------------------------------
>>>
>>>
>>
>>
>
>
Re: natted virtual machines losing trust relationship [message #163584 is a reply to message #163582] Wed, 03 June 2009 17:00 Go to previous messageGo to next message
Phillip Windell  is currently offline Phillip Windell  United States
Messages: 526
Registered: July 2009
Senior Member
Domains have been around about 15 years (since 1994 with NT).
Domains have never worked over Firewalls (aka NAT boxes or Proxys).

The fact that you use a Virtualized environment is irrelevant,...NAT is
still NAT.

--
Phillip Windell

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------


"Joey" <joey@joey.com> wrote in message
news:OkUTNBI5JHA.140@TK2MSFTNGP03.phx.gbl...
> sorry dont mean to be a pain but why doesnt nat work well with domain?
> "Phillip Windell" <philwindell@hotmail.com> wrote in message
> news:eVs06vH5JHA.3968@TK2MSFTNGP03.phx.gbl...
>> That depends on the meaning of "bridged mode" in the context of the VM
>> Environment you are running. I always use VirtualPC,...there is no such
>> term as Bridged Mode in it,..but there is a NAT Mode.
>>
>> Taking a stab at what it may mean in your context,...I'd say yes,..use
>> that.
>>
>> --
>> Phillip Windell
>>
>> The views expressed, are my own and not those of my employer, or
>> Microsoft,
>> or anyone else associated with me, including my cats.
>> -----------------------------------------------------
>>
>>
>> "Joey" <joey@joey.com> wrote in message
>> news:uxncnoH5JHA.4632@TK2MSFTNGP02.phx.gbl...
>>> but it works most of the time. outlook works behind nat. Are you saying
>>> I should switch to bridge mode?
>>> "Phillip Windell" <philwindell@hotmail.com> wrote in message
>>> news:%23ucGMhH5JHA.4116@TK2MSFTNGP04.phx.gbl...
>>>> "Joey" <joey@joey.com> wrote in message
>>>> news:eEe4oDH5JHA.1716@TK2MSFTNGP03.phx.gbl...
>>>>>I got tons of natted virtual machines losing trust relationhsip with
>>>>>the domain. any idea whats going on?
>>>>
>>>> Trusts are between Forests/Domains,...not machines
>>>>
>>>> Domain Membership needs you to get rid of the NAT. It is not going to
>>>> work correctly over NAT.
>>>>
>>>>
>>>> --
>>>> Phillip Windell
>>>>
>>>> The views expressed, are my own and not those of my employer, or
>>>> Microsoft,
>>>> or anyone else associated with me, including my cats.
>>>> -----------------------------------------------------
>>>>
>>>>
>>>
>>>
>>
>>
>
>
Re: natted virtual machines losing trust relationship [message #163585 is a reply to message #163584] Wed, 03 June 2009 17:04 Go to previous messageGo to next message
Phillip Windell  is currently offline Phillip Windell  United States
Messages: 526
Registered: July 2009
Senior Member
"Phillip Windell" <philwindell@hotmail.com> wrote in message
news:Om3bO5I5JHA.1380@TK2MSFTNGP05.phx.gbl...
> Domains have been around about 15 years (since 1994 with NT).
> Domains have never worked over Firewalls (aka NAT boxes or Proxys).

Domains require *two-way* communication

NAT is a *one-way* communication,...the direction is always from "trusted"
to "untrusted" (aka Internal to External).


--
Phillip Windell

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Re: natted virtual machines losing trust relationship [message #163586 is a reply to message #163585] Wed, 03 June 2009 17:18 Go to previous messageGo to next message
Jordon  is currently offline Jordon
Messages: 19
Registered: August 2009
Junior Member
Phillip Windell wrote:

> NAT is a *one-way* communication,...the direction is always from "trusted"
> to "untrusted" (aka Internal to External).

I don't mean to dispute your statement, just curious...

If NAT is one way then how does a browser send data
to the internet through NAT and end up getting a
response?


--
Jordon
Re: natted virtual machines losing trust relationship [message #163588 is a reply to message #163582] Wed, 03 June 2009 18:43 Go to previous messageGo to next message
Joey  is currently offline Joey  United States
Messages: 51
Registered: August 2009
Member
but how does it able to join the domain and work and authenticate users? It
can join domain and do any domain functions. The problem is I get a trust
relationship broken error and the machine seems to have falling off the
domain. only fix is to rejoin
"Joey" <joey@joey.com> wrote in message
news:OkUTNBI5JHA.140@TK2MSFTNGP03.phx.gbl...
> sorry dont mean to be a pain but why doesnt nat work well with domain?
> "Phillip Windell" <philwindell@hotmail.com> wrote in message
> news:eVs06vH5JHA.3968@TK2MSFTNGP03.phx.gbl...
>> That depends on the meaning of "bridged mode" in the context of the VM
>> Environment you are running. I always use VirtualPC,...there is no such
>> term as Bridged Mode in it,..but there is a NAT Mode.
>>
>> Taking a stab at what it may mean in your context,...I'd say yes,..use
>> that.
>>
>> --
>> Phillip Windell
>>
>> The views expressed, are my own and not those of my employer, or
>> Microsoft,
>> or anyone else associated with me, including my cats.
>> -----------------------------------------------------
>>
>>
>> "Joey" <joey@joey.com> wrote in message
>> news:uxncnoH5JHA.4632@TK2MSFTNGP02.phx.gbl...
>>> but it works most of the time. outlook works behind nat. Are you saying
>>> I should switch to bridge mode?
>>> "Phillip Windell" <philwindell@hotmail.com> wrote in message
>>> news:%23ucGMhH5JHA.4116@TK2MSFTNGP04.phx.gbl...
>>>> "Joey" <joey@joey.com> wrote in message
>>>> news:eEe4oDH5JHA.1716@TK2MSFTNGP03.phx.gbl...
>>>>>I got tons of natted virtual machines losing trust relationhsip with
>>>>>the domain. any idea whats going on?
>>>>
>>>> Trusts are between Forests/Domains,...not machines
>>>>
>>>> Domain Membership needs you to get rid of the NAT. It is not going to
>>>> work correctly over NAT.
>>>>
>>>>
>>>> --
>>>> Phillip Windell
>>>>
>>>> The views expressed, are my own and not those of my employer, or
>>>> Microsoft,
>>>> or anyone else associated with me, including my cats.
>>>> -----------------------------------------------------
>>>>
>>>>
>>>
>>>
>>
>>
>
>
Re: natted virtual machines losing trust relationship [message #163589 is a reply to message #163586] Wed, 03 June 2009 19:31 Go to previous messageGo to next message
Bill Grant  is currently offline Bill Grant  Australia
Messages: 324
Registered: July 2009
Senior Member
"Jordon" <jordon@REMOVEgrahamtrucking.com> wrote in message
news:h06p8q$24c$1@news.eternal-september.org...
> Phillip Windell wrote:
>
>> NAT is a *one-way* communication,...the direction is always from
>> "trusted" to "untrusted" (aka Internal to External).
>
> I don't mean to dispute your statement, just curious...
>
> If NAT is one way then how does a browser send data
> to the internet through NAT and end up getting a
> response?
>
>
> --
> Jordon

Because that is how NAT works and that is what it is designed to do. The
NAT router sends the request across the Internet using its own public IP.
When it receives the reply it forwards it to the client using the client's
private IP. It uses a translation table to keep track of which request came
from which client.

It is a one-way translation because the NAT router will translate
addresses for machines on the private LAN so that they can access the
Internet. It will not translate addresses for machines on the "public" side
of the NAT. You can initiate a connection form a machine on the private side
to a machine on the public side. You cannot do the reverse. This is why NAT
interferes with AD.

Another reason why NAT causes problems with AD is DNS. By default NAT
will also act as a DNS relay. The client uses the NAT router as its DNS
server. NAT does a DNS lookup on a public DNS server on the client's behalf.
This fails with AD because the client must use the local DNS to find AD
resources. The public DNS server cannot resolve local AD names for you.
Re: natted virtual machines losing trust relationship [message #163590 is a reply to message #163588] Wed, 03 June 2009 19:42 Go to previous messageGo to next message
Bill Grant  is currently offline Bill Grant  Australia
Messages: 324
Registered: July 2009
Senior Member
NAT works fine if you know what you are doing. I have a domain running on
a virtual network behind a NAT router. (You need to modify how DNS works).
You cannot run some clients behind NAT (or behind a firewall) if the DC is
on the public side of the NAT.

If you want the machines on the virtual network to work with a domain
on the physical network, don't use NAT. Link the virtual network the the
physical NIC in the host. If you want the machines on the virtual network to
be in their own subnet, use LAN routing, not NAT.

A virtual network behaves just like a physical one. It uses the same
protocols. The networking software does not know or care which is virtual
and which is not.

"Joey" <joey@joey.com> wrote in message
news:#R4YEzJ5JHA.1716@TK2MSFTNGP03.phx.gbl...
> but how does it able to join the domain and work and authenticate users?
> It can join domain and do any domain functions. The problem is I get a
> trust relationship broken error and the machine seems to have falling off
> the domain. only fix is to rejoin
> "Joey" <joey@joey.com> wrote in message
> news:OkUTNBI5JHA.140@TK2MSFTNGP03.phx.gbl...
>> sorry dont mean to be a pain but why doesnt nat work well with domain?
>> "Phillip Windell" <philwindell@hotmail.com> wrote in message
>> news:eVs06vH5JHA.3968@TK2MSFTNGP03.phx.gbl...
>>> That depends on the meaning of "bridged mode" in the context of the VM
>>> Environment you are running. I always use VirtualPC,...there is no such
>>> term as Bridged Mode in it,..but there is a NAT Mode.
>>>
>>> Taking a stab at what it may mean in your context,...I'd say yes,..use
>>> that.
>>>
>>> --
>>> Phillip Windell
>>>
>>> The views expressed, are my own and not those of my employer, or
>>> Microsoft,
>>> or anyone else associated with me, including my cats.
>>> -----------------------------------------------------
>>>
>>>
>>> "Joey" <joey@joey.com> wrote in message
>>> news:uxncnoH5JHA.4632@TK2MSFTNGP02.phx.gbl...
>>>> but it works most of the time. outlook works behind nat. Are you saying
>>>> I should switch to bridge mode?
>>>> "Phillip Windell" <philwindell@hotmail.com> wrote in message
>>>> news:%23ucGMhH5JHA.4116@TK2MSFTNGP04.phx.gbl...
>>>>> "Joey" <joey@joey.com> wrote in message
>>>>> news:eEe4oDH5JHA.1716@TK2MSFTNGP03.phx.gbl...
>>>>>>I got tons of natted virtual machines losing trust relationhsip with
>>>>>>the domain. any idea whats going on?
>>>>>
>>>>> Trusts are between Forests/Domains,...not machines
>>>>>
>>>>> Domain Membership needs you to get rid of the NAT. It is not going to
>>>>> work correctly over NAT.
>>>>>
>>>>>
>>>>> --
>>>>> Phillip Windell
>>>>>
>>>>> The views expressed, are my own and not those of my employer, or
>>>>> Microsoft,
>>>>> or anyone else associated with me, including my cats.
>>>>> -----------------------------------------------------
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>
Re: natted virtual machines losing trust relationship [message #163648 is a reply to message #163586] Thu, 04 June 2009 09:29 Go to previous message
Phillip Windell  is currently offline Phillip Windell  United States
Messages: 526
Registered: July 2009
Senior Member
"Jordon" <jordon@REMOVEgrahamtrucking.com> wrote in message
news:h06p8q$24c$1@news.eternal-september.org...
> Phillip Windell wrote:
>
>> NAT is a *one-way* communication,...the direction is always from
>> "trusted" to "untrusted" (aka Internal to External).
>
> I don't mean to dispute your statement, just curious...
>
> If NAT is one way then how does a browser send data
> to the internet through NAT and end up getting a
> response?

Because it is a response. A "response" is just that,...the communication
with NAT is outbound,...that doesn't mean responses can go be the other way.
But *only* resonses,... you are not going to initiate a communication
session is the other direction.

--
Phillip Windell

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Previous Topic:Migrating 2 domains onto one server
Next Topic:Local Admin Group
Goto Forum:
  


Current Time: Tue Aug 22 14:49:14 EDT 2017

Total time taken to generate the page: 0.05153 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software