trust forests without trusts

[John M]

Is there some product that will basically take over a trust role? I have
external forests that I want to assign resources to. Because we use NAT
between the two forests, I can't setup a trust. Is there something else I
can do? If this product could also sync the GAL from exchange that would be
great.

thanks
John

 

[Ace Fekay [MVP]]

In

Is there some product that will basically take over a trust role? I
have external forests that I want to assign resources to. Because we
use NAT between the two forests, I can't setup a trust. Is there
something else I can do? If this product could also sync the GAL
from exchange that would be great.

thanks
John

You can create a trust between two NAT networks if your create a VPN with
the endpoints being the NAT routers, such as if they were PIX boxes on each
end, create a tunnel between them allowing unhindered access to each others'
subnets. This is normally done with many companies with multiple remote
locations/offices. If it is a partner organization or business partner, you
will need to sit down with them and explain what you want and come up with a
solution, possibly hiring a consultant who is familiar with this very common
procedure.

There are 3rd party tools, such as SimpleSync, to sync up different orgs,
but they still require full network access because of authentication and
communication, etc, because NAT does not translate Kerberos, NTLM, LDAP or
RPC traffic.


--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Having difficulty reading or finding responses to your post?
Instead of the website you're using, I suggest to use OEx (Outlook Express
or any other newsreader), and configure a news account, pointing to
news.microsoft.com. This is a direct link to the Microsoft Public
Newsgroups. It is FREE and requires NO ISP's Usenet account. OEx allows you
to easily find, track threads, cross-post, sort by date, poster's name,
watched threads or subject.

It's easy:
How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Directory Services
Microsoft Certified Trainer

Infinite Diversities in Infinite Combinations
Assimilation Imminent. Resistance is Futile
"Very funny Scotty. Now, beam down my clothes."

The only thing in life is change. Anything more is a blackhole consuming
unnecessary energy. - [Me]

 

[John M]

we have a VPN between 2 checkpoint boxes, NAT is running on the checkpoint
boxes to hide the internal network address because of conflicts. I called
PSS and they couldn't get it to work either and said it's not supported.
Problem is DNS related, if I lookup the external domain into, I can contact
the domain thru the NAT address but AD responds with the real IP and thus
fails to work

In

Is there some product that will basically take over a trust role? I
have external forests that I want to assign resources to. Because we
use NAT between the two forests, I can't setup a trust. Is there
something else I can do? If this product could also sync the GAL
from exchange that would be great.

thanks
John

You can create a trust between two NAT networks if your create a VPN with
the endpoints being the NAT routers, such as if they were PIX boxes on
each end, create a tunnel between them allowing unhindered access to each
others' subnets. This is normally done with many companies with multiple
remote locations/offices. If it is a partner organization or business
partner, you will need to sit down with them and explain what you want and
come up with a solution, possibly hiring a consultant who is familiar with
this very common procedure.

There are 3rd party tools, such as SimpleSync, to sync up different orgs,
but they still require full network access because of authentication and
communication, etc, because NAT does not translate Kerberos, NTLM, LDAP or
RPC traffic.


--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Having difficulty reading or finding responses to your post?
Instead of the website you're using, I suggest to use OEx (Outlook Express
or any other newsreader), and configure a news account, pointing to
news.microsoft.com. This is a direct link to the Microsoft Public
Newsgroups. It is FREE and requires NO ISP's Usenet account. OEx allows
you to easily find, track threads, cross-post, sort by date, poster's
name, watched threads or subject.

It's easy:
How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Directory Services
Microsoft Certified Trainer

Infinite Diversities in Infinite Combinations
Assimilation Imminent. Resistance is Futile
"Very funny Scotty. Now, beam down my clothes."

The only thing in life is change. Anything more is a blackhole consuming
unnecessary energy. - [Me]

 

[Ace Fekay [MVP]]

In

we have a VPN between 2 checkpoint boxes, NAT is running on the
checkpoint boxes to hide the internal network address because of
conflicts. I called PSS and they couldn't get it to work either and
said it's not supported. Problem is DNS related, if I lookup the
external domain into, I can contact the domain thru the NAT address
but AD responds with the real IP and thus fails to work

Responds with the public IP? Then it's trying to go thru NAT, and that is
not supported, as I mentioned, as well as PSS. The idea is to create a
tunnel between the two locations so they act as an extension to your network
with the NAT devices being the endpoint. I'm sure checkpoint it capable of
this, since it's standard practice.

Ace

 

[John M]

no not the public ip it responds with the real private ip

example
forest1=10.1.1.1 chicago
forest2=10.1.1.2 new york

we can't just connect the 2 sites because the private ip's conflict
so we used hide nat to hide the private networks with a new nat address
so with NAT we now have
forest1=10.2.2.2 chicago
forest2-10.2.3.3 new york

so from forest1 if you use a conditional forwarder, you foward forest2 to
10.2.3.3 and works fine but the problem is dns resonds with the 10.1.1.2
address

 

[Ace Fekay [MVP]]

In

no not the public ip it responds with the real private ip

example
forest1=10.1.1.1 chicago
forest2=10.1.1.2 new york

we can't just connect the 2 sites because the private ip's conflict
so we used hide nat to hide the private networks with a new nat
address so with NAT we now have
forest1=10.2.2.2 chicago
forest2-10.2.3.3 new york

so from forest1 if you use a conditional forwarder, you foward
forest2 to 10.2.3.3 and works fine but the problem is dns resonds with the
10.1.1.2 address

DNS is just doing it's job. If you don't want to change the IP subnet, how
about just bridging the two locations instead of routing them? Of course you
must ensure there are no duplicates between the sites. If you do something
like this, you'll need to bump up the # of hosts the subnet can handle. You
can change the subnet mask to 255.255.254.0, which will give you 512
addresses, or 255.255.252.0, which will give you 1024 addresses.

How large (# of users) is the smaller of the two sites? Considered changing
the IP subnetto something different?

btw- the 192.168.1.0 subnet is a known issue. Why? Many routers use that by
default, or the network is configured using that subnet because it's the
first one, so to speak. VPN users have problems too when their subnet at
home is 192.168.1.0 and so is the one at the office. One client of mine has
it set up that way (I got there after the fact). One of the upgrade plans is
to change the subnet. But until then, we usually have to step thru the users
at home to change their subnet.

Ace