Setting up AD trust Across NAT

[Guest]

I am trying to set up a Windows AD 2003 trust with a domain that is sitting
on the other side of a router that is doing NAT. Both subnets are private to
the internet. Our domain is 10.x.x.x and their domain is 192.168.x.x. The
Router sitting between us is using NAT to Translate their 192.168.x.x address
to 10.x.x.x. So for example, their DC is 192.168.5.5 and when I ping it by
name I get a reply of 10.10.5.5. So I guess my question is how do I setup
name resolution between the two domains. If I do a zone transfer or a
conditional forward to their DNS then when I ask DNS what is the IP address
of their DC, it will say 192.168.5.5 which is no good to me. I need it to
say 10.10.5.5. I thought about setting up a secondary zone in our DNS and
just manually entering all the Host records for all of their servers but I
wasn't sure if I needed enteries for things like name servers, LDAP servers
and all the other AD related stuff that is in our DNS. If this secondary
zone thing will work can you tell me all of the enteries I will need to add
besides Host records for server names.

I've also heard something about a DNS Proxy is that something that I could
possibly use?

Any other ideas would be greatly appreciated.

 

[Ace Fekay [MVP]]

In

I am trying to set up a Windows AD 2003 trust with a domain that is
sitting on the other side of a router that is doing NAT. Both
subnets are private to the internet. Our domain is 10.x.x.x and
their domain is 192.168.x.x. The Router sitting between us is using
NAT to Translate their 192.168.x.x address to 10.x.x.x. So for
example, their DC is 192.168.5.5 and when I ping it by name I get a
reply of 10.10.5.5. So I guess my question is how do I setup name
resolution between the two domains. If I do a zone transfer or a
conditional forward to their DNS then when I ask DNS what is the IP
address of their DC, it will say 192.168.5.5 which is no good to me.
I need it to say 10.10.5.5. I thought about setting up a secondary
zone in our DNS and just manually entering all the Host records for
all of their servers but I wasn't sure if I needed enteries for
things like name servers, LDAP servers and all the other AD related
stuff that is in our DNS. If this secondary zone thing will work can
you tell me all of the enteries I will need to add besides Host
records for server names.

I've also heard something about a DNS Proxy is that something that I
could possibly use?

Any other ideas would be greatly appreciated.

Unfortunately, NAT won't work here. LDAP, RPC, Netlogon and Kerberos will
not traverse a NAT. Since the domains are not of the same forest, and you
are attempting an "external" domain to domain trust between two domains in
different forests, Kerberos won't be a factor in external trusts, which are
NT style trusts, and uses NTLM. NTLM doesn't use DNS, so setting up
secondary zones, etc, will be nice for FQDN resolution, but will not help
with external trust.

The main fact that RPC and Netlogon being curtailed by NAT, is your dilemma.
The only way in *your* scenario is to route between the two subnets instead
of NATting to make it work. Since both subnets are behind a main NAT
(probably assuming on the 192.168.5.0 side), to the Internet, routing can be
achieved, that is if the folks on the 192.168.5.0 side will create a static
route to get to your 10.10.5.0 subnet. Another method is to use a VPN thru
the NAT.

263293 - Windows 2000 NAT Does Not Translate Netlogon Traffic :
http://support.microsoft.com/default.aspx?scid=kb;EN-US;263293

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

If this post is viewed at a non-Microsoft community website, and you were to
respond to it through that community's website, I may not see your reply
unless that website posts replies back to the original Microsoft forum.
Therefore, please direct all replies ONLY to the Microsoft public newsgroup
this thread originated in so all can benefit or ensure the web community
posts it back to the original forum.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services
Microsot Certified Trainer
Infinite Diversities in Infinite Combinations.
=================================

 

[Cary Shultz [A.D. MVP]]

Brian,

I might post this in the microsoft.public.windows.server.active_directory
news group as that is more for WIN2003. This is more for WIN2000.

You might also want to check the networking news group.....

Sorry that I can not be of more assistance.

--
Cary W. Shultz
Roanoke, VA 24012

WIN2000 Active Directory MVP
http://www.activedirectory-win2000.com
(soon to be updated!!!)
http://www.grouppolicy-win2000.com
(soon to be updated!!!)

 

[Guest]

Thank you that's exactly the type of explanation I was looking for. Not the
answer I was looking for but at least I know exactly what is going on.

 

[Ace Fekay [MVP]]

In

Thank you that's exactly the type of explanation I was looking for.
Not the answer I was looking for but at least I know exactly what is
going on.

Sorry for the bad news... :-(

You know, after re-reading your original post, there was one thing I forgot
to mention about those IPs you are looking for. If you do decide to route
instead of NAT, as far as just connecting to resources (shares, etc that
still need to authenticate across the router), by using FQDN the IP you want
it to resolve to, say 10.10.5.5 instead of the other one, you can create a
'shadow' zone on your side. A shadow is just a zone you create as a
secondary at first just to grab all the data, then make it primary, and make
the appropriate changes for what you want. After that to keep it updated, if
you need anything they create on their zone, just manually create it on your
side to update your 'shadow' copy.

Other than that, NAT seems to still be the issue with trusts and
authentication...

Ace