Trusts or A better Way?
I currently run a hosting service and some of our customers wish to use their domain accounts to login to our servers. Sounds like fun so here we go.
I have created a VPN connection from our site to theirs and have setup a server at our site and added it to their domain so it now contains a DNS server and a copy of their AD.
This part is working fine.
My network is 10.0.2.0/24 and theirs is 10.10.0.0/16 so for the VPN I created a 3rd NIC in my firewall with 172.16.0.0./29 on it and used this to link the VPN tunnel so right now their DC in my build has 2 NICS 172.16.0.1 (this is the link to their side) and 10.0.2.230 link to myside.
I did get the trust setup and working and was able to add groups from their domain to mine and they could login. Now I need to add more groups from their side to mine and it will not let me. I does not prompt me to login to their domain any more.
Was it just a fluke that this worked? Since I have a pfSense firewall with 3 NICS (WAN, LAN [10.0.2.0] and OPT1 [172.16.0.0]) which is cabable of routing between NICS do I need the 10.0.2.230 address (and second NIC) in their AD box (there by creating a dual home DC) or should I just try to setup routes from their server of 172.16.0.1 into my 10.0.2.0/24 network?
Is there a better way to do this? I have more customers that want to do the same and I see this getting to be very over whelming very fast.
I have created a VPN connection from our site to theirs and have setup a server at our site and added it to their domain so it now contains a DNS server and a copy of their AD.
This part is working fine.
My network is 10.0.2.0/24 and theirs is 10.10.0.0/16 so for the VPN I created a 3rd NIC in my firewall with 172.16.0.0./29 on it and used this to link the VPN tunnel so right now their DC in my build has 2 NICS 172.16.0.1 (this is the link to their side) and 10.0.2.230 link to myside.
I did get the trust setup and working and was able to add groups from their domain to mine and they could login. Now I need to add more groups from their side to mine and it will not let me. I does not prompt me to login to their domain any more.
Was it just a fluke that this worked? Since I have a pfSense firewall with 3 NICS (WAN, LAN [10.0.2.0] and OPT1 [172.16.0.0]) which is cabable of routing between NICS do I need the 10.0.2.230 address (and second NIC) in their AD box (there by creating a dual home DC) or should I just try to setup routes from their server of 172.16.0.1 into my 10.0.2.0/24 network?
Is there a better way to do this? I have more customers that want to do the same and I see this getting to be very over whelming very fast.
ASKER
It is a one way trust. I want to trust their users coming in but no one from my home domain should be trusted on their side.
Can you verify and validate the trust using domain.msc ? If not what is the error message you get.
If trust is verified, you can assign permissions to Universal groups from their domain, in your own domain.
If trust is verified, you can assign permissions to Universal groups from their domain, in your own domain.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Starting closing process on behalf of the asker.
I have a question for you. What type of Active Directory trust did you create? Is it bi-directional ?