Windows Trust - Can not browse other domain nor Create Trust

Greetings,

We're attempting to setup a Domain Trust between a Windows 2k3 and a 2k8 domain.  The domains pass thru Cisco ASA's on both ends.   Both are NAT'd to the other.
Both sides can ping and RDP to the other's domain controllers.

But, when we attempt to add the domain trust, it gives the error of
The New Trust can not continue because the specified domain can not be contacted.

I've add a SOA in our DNS with a different zone..  I can ping the domain by name.  Yet, I am getting snake eyes when attempting to get this trust going.
Also of note, I can not browse via Explorer to the other Domain Controller.

Any idea's?

Thank you
ECC IS
eccisAsked:
Who is Participating?
 
pwindellConnect With a Mentor Commented:
Cisco ASA's on both sides, one nat'd to the other.

That still doesn't mean anything technically. The firewalls are not what are NAT'ed together,...the NAT is between the External IP and an Internal IP,...in this case it would have to be between the DC's IP# and the Pulbic IP# of the ASA,...if there are two DCs then it requires two Public IP#.  Then you repeat the same thing on the other ASA and its DCs.  In the end you end up with Domain Controllers NAT'ed to Public IP#s which is just absolutely insane.

We tried to get them to go for a Site to Site VPN but they were not accepting of that solution
Thus, the NAT
.  

Then you are probably wasting your time.

They want a trust,...but not a VPN?,...that is just plain silly,...the Trust is the greater risk.  Then yet,...they can't see that NAT'ing their DCs to Public IP# is just totally insane?
0
 
Kiran ChCommented:
it looks like you have done and setup correctly but you can check this technet article addtionally : http://technet.microsoft.com/en-us/library/ee307976(WS.10).aspx

0
 
pwindellCommented:
Both are NAT'd to the other.

What exactly does that mean?  That is probably the problem

I've add a SOA in our DNS with a different zone.

You shouldn't have to add anything to any zone.   You just create the corresponding blank/empty Zone on each side and the configure Zone Transfers in both directions.  The zones will populate automatically.
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
pwindellCommented:
The face that you are using ASA's does nto matter,...it is what you do with the ASAs that matter.  You should be doing a Site-to-Site VPN between them and not be "NAT'ing" anything.
0
 
eccisAuthor Commented:
Both are NAT'd to the other  - Two seperate networks controlled by two seperate org's.
Cisco ASA's on both sides, one nat'd to the other.  

We tried to get them to go for a Site to Site VPN but they were not accepting of that solution
Thus, the NAT.  
We've put ACL's in that open the ports that Microsoft says are used in a trust.  
http://support.microsoft.com/kb/179442

I created the SOA in an attempt to get their domain to respond when creating the trust and it obviously boarded the fail train right out of the station.

Thank you for the replies!
0
 
pwindellCommented:
I realize that you probably think the way they want it done is just as silly as I do,...but it is up to you to convince them of that.

The NAT is not going to work.  Even if you get the Zone Transfers to work (and they have to work) it will still fail because the DCs in the zone are matched to their internal LAN IP# and not the Public IP# the NAT is tying them to.

Ultimately you don't have a technical problem,...you have a human problem and your task is going to be to beat some sense into their heads so that the project is done correctly.
0
 
eccisAuthor Commented:
I'm use to talking with people who do not know what IP means.  Thus referring to NAT in the way I did.

This is being done over a privetly held MPLS network, which I might have forgotten to mention before.  Sorry about that.

By the sound of things, I will most likely be revisiting the site to site conversation with that group.

Thank you.

0
 
pwindellCommented:
MPLS makes a difference,...a BIG difference.
The MPLS provider might be able to configure the MPLS system to allow the two networks to inter operate directly together without any NAT and without the need for any VPN.

Remember that MPLS is a Layer2 networking system that operates by Identitiy Tagging,...so the IP based networks are just Virtualized over the top of that.

For example,...I built the systems in two Banks and those two Banks were branches of each other.  They are connected by MPLS (same provider each) and each Bank has their own distinct RFC Private LAN. The two communicate directly between each other just as if they were two IP segments sitting in the same room together,...and that functionality is handled by the MPLS provider.   The two are also separate by a pair of Cisco ASAs,...but the ASA do not NAT and do not have any VPN over them,....all they do is act like a "straight" LAN Router and run ACLs on them.

The only NAT is handled by the Firewall at the MPLS Provider which is where the real Firewall sits and protects from the real Public Network at the real "network edge"..

So bottom line then,...you need to find out from the MPLS provider what is the proper way to approach this.   MPLS is a private system own by the provider,..so the customers are really just sharing space on someone else private network. None of the Customers actually touch the Internet,...only the provider's system touches the Internet.  So it is like if you build a private network inside someone else's private network and are hence at the mercy of that private network you are built inside of.   So it is not a normal typical ISP type of relationship in a traditional ISP situation.
0
 
eccisAuthor Commented:
We're the MPLS provider.  We have it running layer 2 and 3.


The end result was that Microsoft does not support a Trust over NAT, because Kerberos has a fit and won't allow the Trust to function when the IP's are not the internals for half the voyage.

So the VPN Tunnel was the solution and all is well.

Thank you for your help pwindell.  Very helpful.
0
 
eccisAuthor Commented:
Good and good.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.