?
Solved

Trusts or A better Way?

Posted on 2010-09-16
6
Medium Priority
?
334 Views
Last Modified: 2012-05-10
I currently run a hosting service and some of our customers wish to use their domain accounts to login to our servers.  Sounds like fun so here we go.

I have created a VPN connection from our site to theirs and have setup a server at our site and added it to their domain so it now contains a DNS server and a copy of their AD.

This part is working fine.

My network is 10.0.2.0/24 and theirs is 10.10.0.0/16 so for the VPN I created a 3rd NIC in my firewall with 172.16.0.0./29 on it and used this to link the VPN tunnel so right now their DC in my build has 2 NICS 172.16.0.1 (this is the link to their side) and 10.0.2.230 link to myside.

I did get the trust setup and working and was able to add groups from their domain to mine and they could login.  Now I need to add more groups from their side to mine and it will not let me.  I does not prompt me to login to their domain any more.

Was it just a fluke that this worked?  Since I have a pfSense firewall with 3 NICS (WAN, LAN [10.0.2.0] and OPT1 [172.16.0.0]) which is cabable of routing between NICS do I need the 10.0.2.230 address (and second NIC) in their AD box (there by creating a dual home DC) or should I just try to setup routes from their server of 172.16.0.1 into my 10.0.2.0/24 network?

Is there a better way to do this?  I have more customers that want to do the same and I see this getting to be very over whelming very fast.
0
Comment
Question by:RJLemon
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
6 Comments
 
LVL 5

Expert Comment

by:smartsid
ID: 33698755
Hi RJLemon,
I have a question for you. What type of Active Directory trust did you create? Is it bi-directional ?
0
 

Author Comment

by:RJLemon
ID: 33705754
It is a one way trust.  I want to trust their users coming in but no one from my home domain should be trusted on their side.
0
 
LVL 5

Expert Comment

by:smartsid
ID: 33722041
Can you verify and validate the trust using domain.msc ? If not what is the error message you get.
If trust is verified, you can assign permissions to Universal groups from their domain, in your own domain.
0
 

Accepted Solution

by:
RJLemon earned 0 total points
ID: 34478074
I now have this working correctly.  It seemed to be a DNS issue.
0
 

Expert Comment

by:WhackAMod
ID: 34510101
Starting closing process on behalf of the asker.
0

Featured Post

Get real performance insights from real users

Key features:
- Total Pages Views and Load times
- Top Pages Viewed and Load Times
- Real Time Site Page Build Performance
- Users’ Browser and Platform Performance
- Geographic User Breakdown
- And more

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses
Course of the Month12 days, 18 hours left to enroll

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question