Solved

Windows Trust - Can not browse other domain nor Create Trust

Posted on 2011-09-20
10
798 Views
Last Modified: 2012-06-21
Greetings,

We're attempting to setup a Domain Trust between a Windows 2k3 and a 2k8 domain.  The domains pass thru Cisco ASA's on both ends.   Both are NAT'd to the other.
Both sides can ping and RDP to the other's domain controllers.

But, when we attempt to add the domain trust, it gives the error of
The New Trust can not continue because the specified domain can not be contacted.

I've add a SOA in our DNS with a different zone..  I can ping the domain by name.  Yet, I am getting snake eyes when attempting to get this trust going.
Also of note, I can not browse via Explorer to the other Domain Controller.

Any idea's?

Thank you
ECC IS
0
Comment
Question by:eccis
  • 5
  • 4
10 Comments
 
LVL 6

Expert Comment

by:Kiran Ch
ID: 36572988
it looks like you have done and setup correctly but you can check this technet article addtionally : http://technet.microsoft.com/en-us/library/ee307976(WS.10).aspx

0
 
LVL 29

Expert Comment

by:pwindell
ID: 36573598
Both are NAT'd to the other.

What exactly does that mean?  That is probably the problem

I've add a SOA in our DNS with a different zone.

You shouldn't have to add anything to any zone.   You just create the corresponding blank/empty Zone on each side and the configure Zone Transfers in both directions.  The zones will populate automatically.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 36573607
The face that you are using ASA's does nto matter,...it is what you do with the ASAs that matter.  You should be doing a Site-to-Site VPN between them and not be "NAT'ing" anything.
0
 

Author Comment

by:eccis
ID: 36573688
Both are NAT'd to the other  - Two seperate networks controlled by two seperate org's.
Cisco ASA's on both sides, one nat'd to the other.  

We tried to get them to go for a Site to Site VPN but they were not accepting of that solution
Thus, the NAT.  
We've put ACL's in that open the ports that Microsoft says are used in a trust.  
http://support.microsoft.com/kb/179442

I created the SOA in an attempt to get their domain to respond when creating the trust and it obviously boarded the fail train right out of the station.

Thank you for the replies!
0
 
LVL 29

Accepted Solution

by:
pwindell earned 250 total points
ID: 36573786
Cisco ASA's on both sides, one nat'd to the other.

That still doesn't mean anything technically. The firewalls are not what are NAT'ed together,...the NAT is between the External IP and an Internal IP,...in this case it would have to be between the DC's IP# and the Pulbic IP# of the ASA,...if there are two DCs then it requires two Public IP#.  Then you repeat the same thing on the other ASA and its DCs.  In the end you end up with Domain Controllers NAT'ed to Public IP#s which is just absolutely insane.

We tried to get them to go for a Site to Site VPN but they were not accepting of that solution
Thus, the NAT
.  

Then you are probably wasting your time.

They want a trust,...but not a VPN?,...that is just plain silly,...the Trust is the greater risk.  Then yet,...they can't see that NAT'ing their DCs to Public IP# is just totally insane?
0
 
LVL 29

Expert Comment

by:pwindell
ID: 36573834
I realize that you probably think the way they want it done is just as silly as I do,...but it is up to you to convince them of that.

The NAT is not going to work.  Even if you get the Zone Transfers to work (and they have to work) it will still fail because the DCs in the zone are matched to their internal LAN IP# and not the Public IP# the NAT is tying them to.

Ultimately you don't have a technical problem,...you have a human problem and your task is going to be to beat some sense into their heads so that the project is done correctly.
0
 

Author Comment

by:eccis
ID: 36573926
I'm use to talking with people who do not know what IP means.  Thus referring to NAT in the way I did.

This is being done over a privetly held MPLS network, which I might have forgotten to mention before.  Sorry about that.

By the sound of things, I will most likely be revisiting the site to site conversation with that group.

Thank you.

0
 
LVL 29

Expert Comment

by:pwindell
ID: 36574058
MPLS makes a difference,...a BIG difference.
The MPLS provider might be able to configure the MPLS system to allow the two networks to inter operate directly together without any NAT and without the need for any VPN.

Remember that MPLS is a Layer2 networking system that operates by Identitiy Tagging,...so the IP based networks are just Virtualized over the top of that.

For example,...I built the systems in two Banks and those two Banks were branches of each other.  They are connected by MPLS (same provider each) and each Bank has their own distinct RFC Private LAN. The two communicate directly between each other just as if they were two IP segments sitting in the same room together,...and that functionality is handled by the MPLS provider.   The two are also separate by a pair of Cisco ASAs,...but the ASA do not NAT and do not have any VPN over them,....all they do is act like a "straight" LAN Router and run ACLs on them.

The only NAT is handled by the Firewall at the MPLS Provider which is where the real Firewall sits and protects from the real Public Network at the real "network edge"..

So bottom line then,...you need to find out from the MPLS provider what is the proper way to approach this.   MPLS is a private system own by the provider,..so the customers are really just sharing space on someone else private network. None of the Customers actually touch the Internet,...only the provider's system touches the Internet.  So it is like if you build a private network inside someone else's private network and are hence at the mercy of that private network you are built inside of.   So it is not a normal typical ISP type of relationship in a traditional ISP situation.
0
 

Author Comment

by:eccis
ID: 36919137
We're the MPLS provider.  We have it running layer 2 and 3.


The end result was that Microsoft does not support a Trust over NAT, because Kerberos has a fit and won't allow the Trust to function when the IP's are not the internals for half the voyage.

So the VPN Tunnel was the solution and all is well.

Thank you for your help pwindell.  Very helpful.
0
 

Author Closing Comment

by:eccis
ID: 36919144
Good and good.
0

Join & Write a Comment

Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now