I currently run a hosting service and some of our customers wish to use their domain accounts to login to our servers. Sounds like fun so here we go.
I have created a VPN connection from our site to theirs and have setup a server at our site and added it to their domain so it now contains a DNS server and a copy of their AD.
This part is working fine.
My network is 10.0.2.0/24 and theirs is 10.10.0.0/16 so for the VPN I created a 3rd NIC in my firewall with 172.16.0.0./29 on it and used this to link the VPN tunnel so right now their DC in my build has 2 NICS 172.16.0.1 (this is the link to their side) and 10.0.2.230 link to myside.
I did get the trust setup and working and was able to add groups from their domain to mine and they could login. Now I need to add more groups from their side to mine and it will not let me. I does not prompt me to login to their domain any more.
Was it just a fluke that this worked? Since I have a pfSense firewall with 3 NICS (WAN, LAN [10.0.2.0] and OPT1 [172.16.0.0]) which is cabable of routing between NICS do I need the 10.0.2.230 address (and second NIC) in their AD box (there by creating a dual home DC) or should I just try to setup routes from their server of 172.16.0.1 into my 10.0.2.0/24 network?
Is there a better way to do this? I have more customers that want to do the same and I see this getting to be very over whelming very fast.