Creating External Forest Trust with Nat'd Addresses

klwn
klwn used Ask the Experts™
on
Hi All,

We are hosting an application in a recently formed alliance with another company. We are hosting the application with Citrix and have a direct 1GB IP link bewteen us, segregated by a firewall.

We want to allow "Single sign on" for user's in the other company when connecting to our hosted Citrix Application and also require them to connect to smb shares on our network. We are choosing Forest Trust over ADFS because of the SMB share requirement.

Obviously we both have seperate domains, so what is the problem you ask? Each of our comapnies uses the same IP subnets..arrghhh..which is why we are having to NAT everything we share.

Am I correct in thinking that NAT doesnt work or isnt supported when setting up external trusts between 2 domains?

I have no problem with creating an external trust, this work fine in our lab.

Any, high level, advice is grateful. I can supply more info if anyone wants to get nitty gritty.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Commented:
Natting DC is not been tested by Microsoft and obviously it is not supported even.So, i would not recommend something which is not supported becasue the problem over here is support in case any issue arises.
Description of support boundaries for Active Directory over NAT
http://support.microsoft.com/kb/978772
http://blogs.technet.com/b/ad/archive/2009/04/22/dcs-and-network-address-translation.aspx
Leon FesterSenior Solutions Architect
Commented:
Yes, as mentioned above, Microsoft does not support such a configuration.

We however had the same scenario, of a double natt'ed network due to Companies running on the same IP's.

It has been working 100% for 12 months, while we rebuilt the one data center and campus.

The main thing to remember is that your DNS needs to be setup correclty.
You need to export a DNS zone for both networks and update it with the natt'ed IP's.
Otherwise you'll always be resolving locally.

It doesn't need to be your whole zone, but definitely include your DC's and any other servers that users will need to access directly.

But back to your current issue, if users are coming in via Citrix then that desktop is essentially on your network, the natt'ed network won't interfere with anything.
Just as if it was an normal user logging onto Citrix from his home PC.

Author

Commented:
Thanks guys.

dvt_localboy...interesting. SO you just exported your primary DNS zone for your domain, imported it into the other comapnies DNS server and manually replaced all the relevant entries with the natt'd address?

We were just about to implement the solution with ADFS but you have diverted my eye back to forest trusts :)

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial