Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Setting Up a Trust Between External Domains, IP Forwarding

Posted on 2011-04-19
4
Medium Priority
?
664 Views
Last Modified: 2012-05-11
We recently merged our company with 2 of our sister companies.  At this time, we are looking to establist a trust between our company domain and one of the two sister companies (located in a different state) so users at one site can access resouces (files) at the other.  

We would set up a VPN between our networks to provide the connectivity.  Once thats in place, I understand how to setup the trust between the two domains.  My question that I am unclear on, is once the trust is in place I understand we need to setup each of our DNS servers to have the others entries.

In reading it appears we would setup a forworder on each of our DNS servers pointing to each others.  

Coming in through a VPN, do each of us need to be concerned with what the others internal IP scheme is?  If internally both companies use 172.16.X.X as their IP scheme, can computers at one site have the same IP on their ntwork as a computer on the other domain, and can DNS etc keep it straight.

I am also seeking some documentation from our firewall vendor to better under stand how the IP scheme would work through a VPN.

Have never worked with a domain trust, so pardon the questions.
0
Comment
Question by:hamblin-d
  • 2
  • 2
4 Comments
 
LVL 44

Accepted Solution

by:
Adam Brown earned 1000 total points
ID: 35427128
If both sites have the exact same IP scheme, you're going to run into problems with connectivity over a VPN, if one can even be established with such a setup. If one site is 172.16.1.x and the other is 172.16.1.x, any attempt to ping 172.16.1.5 (for example) on either network will never traverse the VPN because it's considered local. If, however, 172.16.2.x and 172.16.3.x are the local subnets for each site (with the appropriate subnet mask of 255.255.255.0) then communication should go okay as long as the appropriate routing is in place.

As for DNS, you'll actually want to utilize Stub zones instead of using Forwarders. This speeds DNS resolution considerably and just plain works better. http://technet.microsoft.com/en-us/library/cc779197(WS.10).aspx has information on Stub Zones in windows DNS.
0
 

Author Comment

by:hamblin-d
ID: 35427268
Thanks, I will read up on the stub zones.

Again pardon my ignorance, but is there a better way to connect the two networks than a VPN between our two firealls?  Would it get us around any possible IP conflicts?

Very much open to suggestions here.
0
 
LVL 44

Expert Comment

by:Adam Brown
ID: 35427322
You could utilize a dedicated WAN link between sites, but those are generally very expensive and would run into the exact same problems with two sites on the same IP scheme.
0
 

Author Closing Comment

by:hamblin-d
ID: 35443044
Yes, it turns out both sites use overlapping IP schemes.  One of the two would need to change.  Not sure we'd want to pursue a WAN link due to expense and long term goal of eventually creating a new single domain.

Thanks!
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
Sometimes it necessary to set special permissions on user objects.  For instance when using a Blackberry server, the SendAs permission needs to be set. I see many admins struggle with the setting that permission only to see it disappear within a few…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

572 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question