Link to home
Start Free TrialLog in
Avatar of eccis
eccisFlag for United States of America

asked on

Windows Trust - Can not browse other domain nor Create Trust

Greetings,

We're attempting to setup a Domain Trust between a Windows 2k3 and a 2k8 domain.  The domains pass thru Cisco ASA's on both ends.   Both are NAT'd to the other.
Both sides can ping and RDP to the other's domain controllers.

But, when we attempt to add the domain trust, it gives the error of
The New Trust can not continue because the specified domain can not be contacted.

I've add a SOA in our DNS with a different zone..  I can ping the domain by name.  Yet, I am getting snake eyes when attempting to get this trust going.
Also of note, I can not browse via Explorer to the other Domain Controller.

Any idea's?

Thank you
ECC IS
Avatar of Kiran Ch
Kiran Ch
Flag of India image

it looks like you have done and setup correctly but you can check this technet article addtionally : http://technet.microsoft.com/en-us/library/ee307976(WS.10).aspx

Both are NAT'd to the other.

What exactly does that mean?  That is probably the problem

I've add a SOA in our DNS with a different zone.

You shouldn't have to add anything to any zone.   You just create the corresponding blank/empty Zone on each side and the configure Zone Transfers in both directions.  The zones will populate automatically.
The face that you are using ASA's does nto matter,...it is what you do with the ASAs that matter.  You should be doing a Site-to-Site VPN between them and not be "NAT'ing" anything.
Avatar of eccis

ASKER

Both are NAT'd to the other  - Two seperate networks controlled by two seperate org's.
Cisco ASA's on both sides, one nat'd to the other.  

We tried to get them to go for a Site to Site VPN but they were not accepting of that solution
Thus, the NAT.  
We've put ACL's in that open the ports that Microsoft says are used in a trust.  
http://support.microsoft.com/kb/179442

I created the SOA in an attempt to get their domain to respond when creating the trust and it obviously boarded the fail train right out of the station.

Thank you for the replies!
ASKER CERTIFIED SOLUTION
Avatar of pwindell
pwindell
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I realize that you probably think the way they want it done is just as silly as I do,...but it is up to you to convince them of that.

The NAT is not going to work.  Even if you get the Zone Transfers to work (and they have to work) it will still fail because the DCs in the zone are matched to their internal LAN IP# and not the Public IP# the NAT is tying them to.

Ultimately you don't have a technical problem,...you have a human problem and your task is going to be to beat some sense into their heads so that the project is done correctly.
Avatar of eccis

ASKER

I'm use to talking with people who do not know what IP means.  Thus referring to NAT in the way I did.

This is being done over a privetly held MPLS network, which I might have forgotten to mention before.  Sorry about that.

By the sound of things, I will most likely be revisiting the site to site conversation with that group.

Thank you.

MPLS makes a difference,...a BIG difference.
The MPLS provider might be able to configure the MPLS system to allow the two networks to inter operate directly together without any NAT and without the need for any VPN.

Remember that MPLS is a Layer2 networking system that operates by Identitiy Tagging,...so the IP based networks are just Virtualized over the top of that.

For example,...I built the systems in two Banks and those two Banks were branches of each other.  They are connected by MPLS (same provider each) and each Bank has their own distinct RFC Private LAN. The two communicate directly between each other just as if they were two IP segments sitting in the same room together,...and that functionality is handled by the MPLS provider.   The two are also separate by a pair of Cisco ASAs,...but the ASA do not NAT and do not have any VPN over them,....all they do is act like a "straight" LAN Router and run ACLs on them.

The only NAT is handled by the Firewall at the MPLS Provider which is where the real Firewall sits and protects from the real Public Network at the real "network edge"..

So bottom line then,...you need to find out from the MPLS provider what is the proper way to approach this.   MPLS is a private system own by the provider,..so the customers are really just sharing space on someone else private network. None of the Customers actually touch the Internet,...only the provider's system touches the Internet.  So it is like if you build a private network inside someone else's private network and are hence at the mercy of that private network you are built inside of.   So it is not a normal typical ISP type of relationship in a traditional ISP situation.
Avatar of eccis

ASKER

We're the MPLS provider.  We have it running layer 2 and 3.


The end result was that Microsoft does not support a Trust over NAT, because Kerberos has a fit and won't allow the Trust to function when the IP's are not the internals for half the voyage.

So the VPN Tunnel was the solution and all is well.

Thank you for your help pwindell.  Very helpful.
Avatar of eccis

ASKER

Good and good.