Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » Forest Trust-NAT Issue
Forest Trust-NAT Issue [message #371528] Tue, 19 January 2010 03:41 Go to next message
QuesionVB  is currently offline QuesionVB
Messages: 4
Registered: January 2010
Junior Member
We are building a Resource Forest for giving Partner Companies Access for
Exchange, Active Directory and Office Communication Server.
For this Szenario it is required to building a Outgoing Forest Trust to our
Parnter Company.

On our side (Resource Forest) we have a "open" Nezwork which can be accessed
from the Partner. DNS- We can use conditional Forwarding for making our DCs
"public" (for example forwarding *.resource.com to x.x.x.x) - No Problem

A Problem is on the way from our Domain Controllers to the DCs of the
Partner, because our Parnet use NAT. The DCs have a private Address which can
not be accessed by our Domain Contoller in the Resource Forest. A Forest
Trust through NAT is not supported by Microsoft...i know

In Fact: We now are searching for a way to give the Domain Controllers in
the Resource Forest the possibility to communicate with the internal Domain
controllers of our Partner(s). Because this is the main requirement for
building the Trust.


Thanks for any Ideas and Feedback
Re: Forest Trust-NAT Issue [message #371541 is a reply to message #371528] Tue, 19 January 2010 04:28 Go to previous messageGo to next message
meiweb  is currently offline meiweb  Germany
Messages: 2225
Registered: September 2009
Senior Member
Hello QuesionVB,

Use a router/firewall to create a VPN connection between the networks. Also
you should never connect a DC direct to the internet, what i read from your
description if i am not wrong "On our side (Resource Forest) we have a "open"
Network ".

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> We are building a Resource Forest for giving Partner Companies Access
> for
> Exchange, Active Directory and Office Communication Server.
> For this Szenario it is required to building a Outgoing Forest Trust
> to our
> Parnter Company.
> On our side (Resource Forest) we have a "open" Nezwork which can be
> accessed from the Partner. DNS- We can use conditional Forwarding for
> making our DCs "public" (for example forwarding *.resource.com to
> x.x.x.x) - No Problem
>
> A Problem is on the way from our Domain Controllers to the DCs of the
> Partner, because our Parnet use NAT. The DCs have a private Address
> which can not be accessed by our Domain Contoller in the Resource
> Forest. A Forest Trust through NAT is not supported by Microsoft...i
> know
>
> In Fact: We now are searching for a way to give the Domain Controllers
> in the Resource Forest the possibility to communicate with the
> internal Domain controllers of our Partner(s). Because this is the
> main requirement for building the Trust.
>
> Thanks for any Ideas and Feedback
>
Re: Forest Trust-NAT Issue [message #371623 is a reply to message #371541] Tue, 19 January 2010 06:32 Go to previous messageGo to next message
QuesionVB  is currently offline QuesionVB
Messages: 4
Registered: January 2010
Junior Member
"Open" Network meens open for Partners. Of Course not in the Internet :)



"Meinolf Weber [MVP-DS]" wrote:

> Hello QuesionVB,
>
> Use a router/firewall to create a VPN connection between the networks. Also
> you should never connect a DC direct to the internet, what i read from your
> description if i am not wrong "On our side (Resource Forest) we have a "open"
> Network ".
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
> > We are building a Resource Forest for giving Partner Companies Access
> > for
> > Exchange, Active Directory and Office Communication Server.
> > For this Szenario it is required to building a Outgoing Forest Trust
> > to our
> > Parnter Company.
> > On our side (Resource Forest) we have a "open" Nezwork which can be
> > accessed from the Partner. DNS- We can use conditional Forwarding for
> > making our DCs "public" (for example forwarding *.resource.com to
> > x.x.x.x) - No Problem
> >
> > A Problem is on the way from our Domain Controllers to the DCs of the
> > Partner, because our Parnet use NAT. The DCs have a private Address
> > which can not be accessed by our Domain Contoller in the Resource
> > Forest. A Forest Trust through NAT is not supported by Microsoft...i
> > know
> >
> > In Fact: We now are searching for a way to give the Domain Controllers
> > in the Resource Forest the possibility to communicate with the
> > internal Domain controllers of our Partner(s). Because this is the
> > main requirement for building the Trust.
> >
> > Thanks for any Ideas and Feedback
> >
>
>
> .
>
Re: Forest Trust-NAT Issue [message #371624 is a reply to message #371528] Tue, 19 January 2010 06:31 Go to previous messageGo to next message
pbbergs  is currently offline pbbergs  United States
Messages: 1024
Registered: July 2009
Senior Member
I would use a vpn setup between the two sites, use this setup behind the
NAT.

http://technet.microsoft.com/en-us/library/cc783632(WS.10).aspx

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"QuesionVB" <QuesionVB@discussions.microsoft.com> wrote in message
news:38983085-FA1F-461E-9801-610302A492EC@microsoft.com...
> We are building a Resource Forest for giving Partner Companies Access for
> Exchange, Active Directory and Office Communication Server.
> For this Szenario it is required to building a Outgoing Forest Trust to
> our
> Parnter Company.
>
> On our side (Resource Forest) we have a "open" Nezwork which can be
> accessed
> from the Partner. DNS- We can use conditional Forwarding for making our
> DCs
> "public" (for example forwarding *.resource.com to x.x.x.x) - No Problem
>
> A Problem is on the way from our Domain Controllers to the DCs of the
> Partner, because our Parnet use NAT. The DCs have a private Address which
> can
> not be accessed by our Domain Contoller in the Resource Forest. A Forest
> Trust through NAT is not supported by Microsoft...i know
>
> In Fact: We now are searching for a way to give the Domain Controllers in
> the Resource Forest the possibility to communicate with the internal
> Domain
> controllers of our Partner(s). Because this is the main requirement for
> building the Trust.
>
>
> Thanks for any Ideas and Feedback
>
Re: Forest Trust-NAT Issue [message #371713 is a reply to message #371624] Tue, 19 January 2010 08:26 Go to previous messageGo to next message
QuesionVB  is currently offline QuesionVB
Messages: 4
Registered: January 2010
Junior Member
I think there is an communication problem. The Partner AD has nothing to to
with our Internal AD Structure. The Partner has its own Forest, own DCs.
Important is that the DCs in the resource Forest can communicate with the DCs
of the Partner. (For the Forest Trsut).Conditional Forwarding does not work
because the Partner DNS Server will answer of a Request with the internal
IP-Adress of the DC, which we can't access from our Resource Forest.
It is not a Branch Office Szenario where we can Install a Domain Controller
for the Resource Forest.




"Paul Bergson [MVP-DS]" wrote:

> I would use a vpn setup between the two sites, use this setup behind the
> NAT.
>
> http://technet.microsoft.com/en-us/library/cc783632(WS.10).aspx
>
> --
> Paul Bergson
> MVP - Directory Services
> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> 2008, 2003, 2000 (Early Achiever), NT4
> Microsoft's Thrive IT Pro of the Month - June 2009
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup This
> posting is provided "AS IS" with no warranties, and confers no rights.
>
> "QuesionVB" <QuesionVB@discussions.microsoft.com> wrote in message
> news:38983085-FA1F-461E-9801-610302A492EC@microsoft.com...
> > We are building a Resource Forest for giving Partner Companies Access for
> > Exchange, Active Directory and Office Communication Server.
> > For this Szenario it is required to building a Outgoing Forest Trust to
> > our
> > Parnter Company.
> >
> > On our side (Resource Forest) we have a "open" Nezwork which can be
> > accessed
> > from the Partner. DNS- We can use conditional Forwarding for making our
> > DCs
> > "public" (for example forwarding *.resource.com to x.x.x.x) - No Problem
> >
> > A Problem is on the way from our Domain Controllers to the DCs of the
> > Partner, because our Parnet use NAT. The DCs have a private Address which
> > can
> > not be accessed by our Domain Contoller in the Resource Forest. A Forest
> > Trust through NAT is not supported by Microsoft...i know
> >
> > In Fact: We now are searching for a way to give the Domain Controllers in
> > the Resource Forest the possibility to communicate with the internal
> > Domain
> > controllers of our Partner(s). Because this is the main requirement for
> > building the Trust.
> >
> >
> > Thanks for any Ideas and Feedback
> >
>
>
> .
>
Re: Forest Trust-NAT Issue [message #371811 is a reply to message #371713] Tue, 19 January 2010 10:23 Go to previous messageGo to next message
Jorge Silva  is currently offline Jorge Silva
Messages: 398
Registered: July 2009
Senior Member
Hi
You already said that you know that NAT is not supported in this scenario,
but one thing to keep in mind that you'll always need to do routing between
both subets (I'm assuming that the subnets are different). That means the
original IP request should be returned. If your client has a NAT interface
that responds on behalf of the DC, then you need a bridge/or/vpn between
both sites that allows true routing between DCs.

--

I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MVP Directory Services

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.




"QuesionVB" <QuesionVB@discussions.microsoft.com> wrote in message
news:10DAE4E9-C9FC-4BB3-B977-6521468D3355@microsoft.com...
> I think there is an communication problem. The Partner AD has nothing to
> to
> with our Internal AD Structure. The Partner has its own Forest, own DCs.
> Important is that the DCs in the resource Forest can communicate with the
> DCs
> of the Partner. (For the Forest Trsut).Conditional Forwarding does not
> work
> because the Partner DNS Server will answer of a Request with the internal
> IP-Adress of the DC, which we can't access from our Resource Forest.
> It is not a Branch Office Szenario where we can Install a Domain
> Controller
> for the Resource Forest.
>
>
>
>
> "Paul Bergson [MVP-DS]" wrote:
>
>> I would use a vpn setup between the two sites, use this setup behind the
>> NAT.
>>
>> http://technet.microsoft.com/en-us/library/cc783632(WS.10).aspx
>>
>> --
>> Paul Bergson
>> MVP - Directory Services
>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>> 2008, 2003, 2000 (Early Achiever), NT4
>> Microsoft's Thrive IT Pro of the Month - June 2009
>>
>> http://www.pbbergs.com
>>
>> Please no e-mails, any questions should be posted in the NewsGroup This
>> posting is provided "AS IS" with no warranties, and confers no rights.
>>
>> "QuesionVB" <QuesionVB@discussions.microsoft.com> wrote in message
>> news:38983085-FA1F-461E-9801-610302A492EC@microsoft.com...
>> > We are building a Resource Forest for giving Partner Companies Access
>> > for
>> > Exchange, Active Directory and Office Communication Server.
>> > For this Szenario it is required to building a Outgoing Forest Trust
>> > to
>> > our
>> > Parnter Company.
>> >
>> > On our side (Resource Forest) we have a "open" Nezwork which can be
>> > accessed
>> > from the Partner. DNS- We can use conditional Forwarding for making our
>> > DCs
>> > "public" (for example forwarding *.resource.com to x.x.x.x) - No
>> > Problem
>> >
>> > A Problem is on the way from our Domain Controllers to the DCs of the
>> > Partner, because our Parnet use NAT. The DCs have a private Address
>> > which
>> > can
>> > not be accessed by our Domain Contoller in the Resource Forest. A
>> > Forest
>> > Trust through NAT is not supported by Microsoft...i know
>> >
>> > In Fact: We now are searching for a way to give the Domain Controllers
>> > in
>> > the Resource Forest the possibility to communicate with the internal
>> > Domain
>> > controllers of our Partner(s). Because this is the main requirement
>> > for
>> > building the Trust.
>> >
>> >
>> > Thanks for any Ideas and Feedback
>> >
>>
>>
>> .
>>
Re: Forest Trust-NAT Issue [message #372602 is a reply to message #371713] Wed, 20 January 2010 06:22 Go to previous messageGo to next message
pbbergs  is currently offline pbbergs  United States
Messages: 1024
Registered: July 2009
Senior Member
If you have two seperate forests and there is a NAT firewall sitting between
the two, you need to set up a connection that will allow both sides to
communicate with the other. A vpn established between the two sites should
work, but... hopefully both sides aren't using the same set of ip address
subnets. That could be a problem. What you are attempting to do has
nothing to do with Active Directory, this is a network issue. You have to
be able to resolve names from both sides, which will require you set
something up like a secondary of each others primary, for instance.

I would recommend before you attempt to establish a trust you get a working
bridge setup between the two forests.

Understanding Trusts
http://technet.microsoft.com/en-us/library/cc736874(WS.10).aspx


Trusts:

To start you would have to establish dns connectivity both ways, usually the
easiest thing to do would be to create secondary's of each others primary.
http://expertanswercenter.techtarget.com/eac/knowledgebaseAn swer/0,295199,sid63_gci1104911,00.html

Once established you can then go and create your external trust, I wouldn't
create a forest trust this established a two trust.

Creating an External Trust
http://technet2.microsoft.com/WindowsServer/en/library/b30ef 067-746e-4453-b879-804259aafdd31033.mspx?mfr=true

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"QuesionVB" <QuesionVB@discussions.microsoft.com> wrote in message
news:10DAE4E9-C9FC-4BB3-B977-6521468D3355@microsoft.com...
>I think there is an communication problem. The Partner AD has nothing to to
> with our Internal AD Structure. The Partner has its own Forest, own DCs.
> Important is that the DCs in the resource Forest can communicate with the
> DCs
> of the Partner. (For the Forest Trsut).Conditional Forwarding does not
> work
> because the Partner DNS Server will answer of a Request with the internal
> IP-Adress of the DC, which we can't access from our Resource Forest.
> It is not a Branch Office Szenario where we can Install a Domain
> Controller
> for the Resource Forest.
>
>
>
>
> "Paul Bergson [MVP-DS]" wrote:
>
>> I would use a vpn setup between the two sites, use this setup behind the
>> NAT.
>>
>> http://technet.microsoft.com/en-us/library/cc783632(WS.10).aspx
>>
>> --
>> Paul Bergson
>> MVP - Directory Services
>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>> 2008, 2003, 2000 (Early Achiever), NT4
>> Microsoft's Thrive IT Pro of the Month - June 2009
>>
>> http://www.pbbergs.com
>>
>> Please no e-mails, any questions should be posted in the NewsGroup This
>> posting is provided "AS IS" with no warranties, and confers no rights.
>>
>> "QuesionVB" <QuesionVB@discussions.microsoft.com> wrote in message
>> news:38983085-FA1F-461E-9801-610302A492EC@microsoft.com...
>> > We are building a Resource Forest for giving Partner Companies Access
>> > for
>> > Exchange, Active Directory and Office Communication Server.
>> > For this Szenario it is required to building a Outgoing Forest Trust
>> > to
>> > our
>> > Parnter Company.
>> >
>> > On our side (Resource Forest) we have a "open" Nezwork which can be
>> > accessed
>> > from the Partner. DNS- We can use conditional Forwarding for making our
>> > DCs
>> > "public" (for example forwarding *.resource.com to x.x.x.x) - No
>> > Problem
>> >
>> > A Problem is on the way from our Domain Controllers to the DCs of the
>> > Partner, because our Parnet use NAT. The DCs have a private Address
>> > which
>> > can
>> > not be accessed by our Domain Contoller in the Resource Forest. A
>> > Forest
>> > Trust through NAT is not supported by Microsoft...i know
>> >
>> > In Fact: We now are searching for a way to give the Domain Controllers
>> > in
>> > the Resource Forest the possibility to communicate with the internal
>> > Domain
>> > controllers of our Partner(s). Because this is the main requirement
>> > for
>> > building the Trust.
>> >
>> >
>> > Thanks for any Ideas and Feedback
>> >
>>
>>
>> .
>>
RE: Forest Trust-NAT Issue [message #378980 is a reply to message #371528] Thu, 28 January 2010 04:09 Go to previous messageGo to next message
Arkturas  is currently offline Arkturas
Messages: 1
Registered: January 2010
Junior Member
Hi we had the same scenario,

Company A needs to access resources in Company B. Both company's manage
their own forests, separated via firewall/NAT Device.

What we did to get it working:
on Company A DC's edit the host file and add the NAT IP address of all the
company B DC's
on Company B DC's edit the host file and add the NAT IP address of all the
company A DC's

then on each forest create a DNS stub zone for the for the domain you want
to trust.

also have a look at this link, it may get around the problem of adding host
entries to all the DC's by using a published addresses reg key.
http://blogs.technet.com/ad/archive/2009/04/22/dcs-and-netwo rk-address-translation.aspx

--



"QuesionVB" wrote:

> We are building a Resource Forest for giving Partner Companies Access for
> Exchange, Active Directory and Office Communication Server.
> For this Szenario it is required to building a Outgoing Forest Trust to our
> Parnter Company.
>
> On our side (Resource Forest) we have a "open" Nezwork which can be accessed
> from the Partner. DNS- We can use conditional Forwarding for making our DCs
> "public" (for example forwarding *.resource.com to x.x.x.x) - No Problem
>
> A Problem is on the way from our Domain Controllers to the DCs of the
> Partner, because our Parnet use NAT. The DCs have a private Address which can
> not be accessed by our Domain Contoller in the Resource Forest. A Forest
> Trust through NAT is not supported by Microsoft...i know
>
> In Fact: We now are searching for a way to give the Domain Controllers in
> the Resource Forest the possibility to communicate with the internal Domain
> controllers of our Partner(s). Because this is the main requirement for
> building the Trust.
>
>
> Thanks for any Ideas and Feedback
>
Re: Forest Trust-NAT Issue [message #379872 is a reply to message #378980] Fri, 29 January 2010 07:43 Go to previous message
Phillip Windell  is currently offline Phillip Windell  United States
Messages: 526
Registered: July 2009
Senior Member
Get rid of the NAT
Or use VPN to get past the NAT.


--
Phillip Windell

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------


"Arkturas" <Arkturas@discussions.microsoft.com> wrote in message
news:3050EC11-86A3-4150-B1EB-9F4143E79897@microsoft.com...
> Hi we had the same scenario,
>
> Company A needs to access resources in Company B. Both company's manage
> their own forests, separated via firewall/NAT Device.
>
> What we did to get it working:
> on Company A DC's edit the host file and add the NAT IP address of all the
> company B DC's
> on Company B DC's edit the host file and add the NAT IP address of all the
> company A DC's
>
> then on each forest create a DNS stub zone for the for the domain you want
> to trust.
>
> also have a look at this link, it may get around the problem of adding
> host
> entries to all the DC's by using a published addresses reg key.
> http://blogs.technet.com/ad/archive/2009/04/22/dcs-and-netwo rk-address-translation.aspx
>
> --
>
>
>
> "QuesionVB" wrote:
>
>> We are building a Resource Forest for giving Partner Companies Access for
>> Exchange, Active Directory and Office Communication Server.
>> For this Szenario it is required to building a Outgoing Forest Trust to
>> our
>> Parnter Company.
>>
>> On our side (Resource Forest) we have a "open" Nezwork which can be
>> accessed
>> from the Partner. DNS- We can use conditional Forwarding for making our
>> DCs
>> "public" (for example forwarding *.resource.com to x.x.x.x) - No Problem
>>
>> A Problem is on the way from our Domain Controllers to the DCs of the
>> Partner, because our Parnet use NAT. The DCs have a private Address which
>> can
>> not be accessed by our Domain Contoller in the Resource Forest. A Forest
>> Trust through NAT is not supported by Microsoft...i know
>>
>> In Fact: We now are searching for a way to give the Domain Controllers in
>> the Resource Forest the possibility to communicate with the internal
>> Domain
>> controllers of our Partner(s). Because this is the main requirement for
>> building the Trust.
>>
>>
>> Thanks for any Ideas and Feedback
>>
Previous Topic:Windows 2008 admin pack
Next Topic:Authentification on Win2k8 r2 inter site
Goto Forum:
  


Current Time: Fri Jan 19 00:45:38 MST 2018

Total time taken to generate the page: 0.06127 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software