Sign in with
Sign up | Sign in
Your question

External Trusts between W2K DCs in Different Forests CONTI..

Last response: in Windows 2000/NT
Share
Anonymous
March 4, 2005 3:17:02 PM

Archived from groups: microsoft.public.win2000.security (More info?)

I am trying to set up a trust relationship between two different domains, one
mixed mode and one native mode, in different forests. The domains have a
firewall between them in a DMZ configuration. Domain configs as follows:

Domain A:
3 DCs all Global Catalogs
W2K SP4 Native mode
IP Range 10.x.x.x

Domain B:
1 DC
W2K SP4 Mixed mode
IP Range 172.x.x.x

Firewall is using NAT to translate 10.x.x.x to 172.x.x.x address. Current
policy in firewall allows all traffic from either side to pass.

I have set the following in LMHOSTS all 3 DCs in Domain A.

172.x.x.x remotedomainDC#PRE #DOM:remotedomain.com
172.x.x.x remotedomain.com

I can ping the domain and use net send /d:remotedomain "Message" both
complete successfully.

When I try and create the trust I get the following error:

"The remotedomain.com cannot be contacted.
If this domain is a windows domain, the trust cannot be set up until the
domain is contacted. Click Cancel and try again later."

When I try NBTSTAT -a remotedomain returns host can not be found. If I try
NBTSTAT -a 172.x.x.x is works.

Please help!

Thanks
DevGD
Anonymous
March 4, 2005 6:08:09 PM

Archived from groups: microsoft.public.win2000.security (More info?)

See the link below for how to configure a firewall for trusts. You should
not need to use all those ports for a trust depending on your configuration.
Your firewall logs are the best place to look and see what traffic is being
blocked between the two domains when you try to enable the trust. RPC will
be tricky because of the way RPC assigns dynamic ports as described in the
KB article though you can restrict it with a registry entry. This type of
trust will not use kerberos. --- Steve

http://support.microsoft.com/default.aspx?scid=kb%3Ben-...

"DevGD" <DevGD@discussions.microsoft.com> wrote in message
news:D 84C82D4-87BF-4FCF-8377-90D1760359F8@microsoft.com...
>I am trying to set up a trust relationship between two different domains,
>one
> mixed mode and one native mode, in different forests. The domains have a
> firewall between them in a DMZ configuration. Domain configs as follows:
>
> Domain A:
> 3 DCs all Global Catalogs
> W2K SP4 Native mode
> IP Range 10.x.x.x
>
> Domain B:
> 1 DC
> W2K SP4 Mixed mode
> IP Range 172.x.x.x
>
> Firewall is using NAT to translate 10.x.x.x to 172.x.x.x address. Current
> policy in firewall allows all traffic from either side to pass.
>
> I have set the following in LMHOSTS all 3 DCs in Domain A.
>
> 172.x.x.x remotedomainDC#PRE #DOM:remotedomain.com
> 172.x.x.x remotedomain.com
>
> I can ping the domain and use net send /d:remotedomain "Message" both
> complete successfully.
>
> When I try and create the trust I get the following error:
>
> "The remotedomain.com cannot be contacted.
> If this domain is a windows domain, the trust cannot be set up until the
> domain is contacted. Click Cancel and try again later."
>
> When I try NBTSTAT -a remotedomain returns host can not be found. If I try
> NBTSTAT -a 172.x.x.x is works.
>
> Please help!
>
> Thanks
> DevGD
>
>
Anonymous
March 5, 2005 1:56:18 AM

Archived from groups: microsoft.public.win2000.security (More info?)

He mentioned NAT. Is this supported yet ?

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:eQPk93PIFHA.2640@TK2MSFTNGP09.phx.gbl...
> See the link below for how to configure a firewall for trusts. You should
> not need to use all those ports for a trust depending on your
configuration.
> Your firewall logs are the best place to look and see what traffic is
being
> blocked between the two domains when you try to enable the trust. RPC
will
> be tricky because of the way RPC assigns dynamic ports as described in the
> KB article though you can restrict it with a registry entry. This type of
> trust will not use kerberos. --- Steve
>
> http://support.microsoft.com/default.aspx?scid=kb%3Ben-...
>
> "DevGD" <DevGD@discussions.microsoft.com> wrote in message
> news:D 84C82D4-87BF-4FCF-8377-90D1760359F8@microsoft.com...
> >I am trying to set up a trust relationship between two different domains,
> >one
> > mixed mode and one native mode, in different forests. The domains have a
> > firewall between them in a DMZ configuration. Domain configs as follows:
> >
> > Domain A:
> > 3 DCs all Global Catalogs
> > W2K SP4 Native mode
> > IP Range 10.x.x.x
> >
> > Domain B:
> > 1 DC
> > W2K SP4 Mixed mode
> > IP Range 172.x.x.x
> >
> > Firewall is using NAT to translate 10.x.x.x to 172.x.x.x address.
Current
> > policy in firewall allows all traffic from either side to pass.
> >
> > I have set the following in LMHOSTS all 3 DCs in Domain A.
> >
> > 172.x.x.x remotedomainDC#PRE #DOM:remotedomain.com
> > 172.x.x.x remotedomain.com
> >
> > I can ping the domain and use net send /d:remotedomain "Message" both
> > complete successfully.
> >
> > When I try and create the trust I get the following error:
> >
> > "The remotedomain.com cannot be contacted.
> > If this domain is a windows domain, the trust cannot be set up until the
> > domain is contacted. Click Cancel and try again later."
> >
> > When I try NBTSTAT -a remotedomain returns host can not be found. If I
try
> > NBTSTAT -a 172.x.x.x is works.
> >
> > Please help!
> >
> > Thanks
> > DevGD
> >
> >
>
>
Related resources
Can't find your answer ? Ask !
Anonymous
March 5, 2005 4:01:46 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Good point Roger. That point escaped me. NAT could very well be the problem
and the user should refer to the KB below on problems with NAT and netlogon
traffic. Thanks. --- Steve

http://support.microsoft.com/kb/172227

"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:uGw7PeUIFHA.580@TK2MSFTNGP15.phx.gbl...
> He mentioned NAT. Is this supported yet ?
>
> --
> Roger Abell
> Microsoft MVP (Windows Security)
> MCSE (W2k3,W2k,Nt4) MCDBA
> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
> news:eQPk93PIFHA.2640@TK2MSFTNGP09.phx.gbl...
>> See the link below for how to configure a firewall for trusts. You should
>> not need to use all those ports for a trust depending on your
> configuration.
>> Your firewall logs are the best place to look and see what traffic is
> being
>> blocked between the two domains when you try to enable the trust. RPC
> will
>> be tricky because of the way RPC assigns dynamic ports as described in
>> the
>> KB article though you can restrict it with a registry entry. This type
>> of
>> trust will not use kerberos. --- Steve
>>
>> http://support.microsoft.com/default.aspx?scid=kb%3Ben-...
>>
>> "DevGD" <DevGD@discussions.microsoft.com> wrote in message
>> news:D 84C82D4-87BF-4FCF-8377-90D1760359F8@microsoft.com...
>> >I am trying to set up a trust relationship between two different
>> >domains,
>> >one
>> > mixed mode and one native mode, in different forests. The domains have
>> > a
>> > firewall between them in a DMZ configuration. Domain configs as
>> > follows:
>> >
>> > Domain A:
>> > 3 DCs all Global Catalogs
>> > W2K SP4 Native mode
>> > IP Range 10.x.x.x
>> >
>> > Domain B:
>> > 1 DC
>> > W2K SP4 Mixed mode
>> > IP Range 172.x.x.x
>> >
>> > Firewall is using NAT to translate 10.x.x.x to 172.x.x.x address.
> Current
>> > policy in firewall allows all traffic from either side to pass.
>> >
>> > I have set the following in LMHOSTS all 3 DCs in Domain A.
>> >
>> > 172.x.x.x remotedomainDC#PRE #DOM:remotedomain.com
>> > 172.x.x.x remotedomain.com
>> >
>> > I can ping the domain and use net send /d:remotedomain "Message" both
>> > complete successfully.
>> >
>> > When I try and create the trust I get the following error:
>> >
>> > "The remotedomain.com cannot be contacted.
>> > If this domain is a windows domain, the trust cannot be set up until
>> > the
>> > domain is contacted. Click Cancel and try again later."
>> >
>> > When I try NBTSTAT -a remotedomain returns host can not be found. If I
> try
>> > NBTSTAT -a 172.x.x.x is works.
>> >
>> > Please help!
>> >
>> > Thanks
>> > DevGD
>> >
>> >
>>
>>
>
>
Anonymous
March 9, 2005 10:13:06 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Thanks for the help. I have actually read both articles. I believe NAT is my
issue, I just and trying to find out how the solve the problem. I have sent
the following command to the other domain with success.

NET SEND /d:<Domain> "Message"

Is there any utilities or tests that I can run to verify that NAT is my issue?

Any other help would be greatly appreciated.

Thanks
Dev

"Steven L Umbach" wrote:

> Good point Roger. That point escaped me. NAT could very well be the problem
> and the user should refer to the KB below on problems with NAT and netlogon
> traffic. Thanks. --- Steve
>
> http://support.microsoft.com/kb/172227
>
> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> news:uGw7PeUIFHA.580@TK2MSFTNGP15.phx.gbl...
> > He mentioned NAT. Is this supported yet ?
> >
> > --
> > Roger Abell
> > Microsoft MVP (Windows Security)
> > MCSE (W2k3,W2k,Nt4) MCDBA
> > "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
> > news:eQPk93PIFHA.2640@TK2MSFTNGP09.phx.gbl...
> >> See the link below for how to configure a firewall for trusts. You should
> >> not need to use all those ports for a trust depending on your
> > configuration.
> >> Your firewall logs are the best place to look and see what traffic is
> > being
> >> blocked between the two domains when you try to enable the trust. RPC
> > will
> >> be tricky because of the way RPC assigns dynamic ports as described in
> >> the
> >> KB article though you can restrict it with a registry entry. This type
> >> of
> >> trust will not use kerberos. --- Steve
> >>
> >> http://support.microsoft.com/default.aspx?scid=kb%3Ben-...
> >>
> >> "DevGD" <DevGD@discussions.microsoft.com> wrote in message
> >> news:D 84C82D4-87BF-4FCF-8377-90D1760359F8@microsoft.com...
> >> >I am trying to set up a trust relationship between two different
> >> >domains,
> >> >one
> >> > mixed mode and one native mode, in different forests. The domains have
> >> > a
> >> > firewall between them in a DMZ configuration. Domain configs as
> >> > follows:
> >> >
> >> > Domain A:
> >> > 3 DCs all Global Catalogs
> >> > W2K SP4 Native mode
> >> > IP Range 10.x.x.x
> >> >
> >> > Domain B:
> >> > 1 DC
> >> > W2K SP4 Mixed mode
> >> > IP Range 172.x.x.x
> >> >
> >> > Firewall is using NAT to translate 10.x.x.x to 172.x.x.x address.
> > Current
> >> > policy in firewall allows all traffic from either side to pass.
> >> >
> >> > I have set the following in LMHOSTS all 3 DCs in Domain A.
> >> >
> >> > 172.x.x.x remotedomainDC#PRE #DOM:remotedomain.com
> >> > 172.x.x.x remotedomain.com
> >> >
> >> > I can ping the domain and use net send /d:remotedomain "Message" both
> >> > complete successfully.
> >> >
> >> > When I try and create the trust I get the following error:
> >> >
> >> > "The remotedomain.com cannot be contacted.
> >> > If this domain is a windows domain, the trust cannot be set up until
> >> > the
> >> > domain is contacted. Click Cancel and try again later."
> >> >
> >> > When I try NBTSTAT -a remotedomain returns host can not be found. If I
> > try
> >> > NBTSTAT -a 172.x.x.x is works.
> >> >
> >> > Please help!
> >> >
> >> > Thanks
> >> > DevGD
> >> >
> >> >
> >>
> >>
> >
> >
>
>
>
Anonymous
March 10, 2005 12:10:05 AM

Archived from groups: microsoft.public.win2000.security (More info?)

The only way I know of to verify a problem or not would be to capture
traffic on each end of the connection with something like netmon to analyze
packet traffic. Beyond issues with NAT, RPC dynamic port assignment firewall
rules and name resolution are the biggest problems. Making wins servers in
each domain replication partners with each other and verifying that all
domain controllers are also wins clients usually works well for netbios and
for dns you can make the dns servers in each domain contain secondary dns
zones for the other domain. Also make sure that the domain controllers do
not have the security option for additional restrictions for anonymous
connections be configured to be no access without explicit anonymous
permissions as shown as the effective setting in Local Security Policy. You
might want to also post in the win2000.active_directory newsgroup. --- Steve


"DevGD" <DevGD@discussions.microsoft.com> wrote in message
news:59AA2872-9F9F-4E20-A8EC-70B906537F4B@microsoft.com...
> Thanks for the help. I have actually read both articles. I believe NAT is
> my
> issue, I just and trying to find out how the solve the problem. I have
> sent
> the following command to the other domain with success.
>
> NET SEND /d:<Domain> "Message"
>
> Is there any utilities or tests that I can run to verify that NAT is my
> issue?
>
> Any other help would be greatly appreciated.
>
> Thanks
> Dev
>
> "Steven L Umbach" wrote:
>
>> Good point Roger. That point escaped me. NAT could very well be the
>> problem
>> and the user should refer to the KB below on problems with NAT and
>> netlogon
>> traffic. Thanks. --- Steve
>>
>> http://support.microsoft.com/kb/172227
>>
>> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
>> news:uGw7PeUIFHA.580@TK2MSFTNGP15.phx.gbl...
>> > He mentioned NAT. Is this supported yet ?
>> >
>> > --
>> > Roger Abell
>> > Microsoft MVP (Windows Security)
>> > MCSE (W2k3,W2k,Nt4) MCDBA
>> > "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
>> > news:eQPk93PIFHA.2640@TK2MSFTNGP09.phx.gbl...
>> >> See the link below for how to configure a firewall for trusts. You
>> >> should
>> >> not need to use all those ports for a trust depending on your
>> > configuration.
>> >> Your firewall logs are the best place to look and see what traffic is
>> > being
>> >> blocked between the two domains when you try to enable the trust. RPC
>> > will
>> >> be tricky because of the way RPC assigns dynamic ports as described in
>> >> the
>> >> KB article though you can restrict it with a registry entry. This
>> >> type
>> >> of
>> >> trust will not use kerberos. --- Steve
>> >>
>> >> http://support.microsoft.com/default.aspx?scid=kb%3Ben-...
>> >>
>> >> "DevGD" <DevGD@discussions.microsoft.com> wrote in message
>> >> news:D 84C82D4-87BF-4FCF-8377-90D1760359F8@microsoft.com...
>> >> >I am trying to set up a trust relationship between two different
>> >> >domains,
>> >> >one
>> >> > mixed mode and one native mode, in different forests. The domains
>> >> > have
>> >> > a
>> >> > firewall between them in a DMZ configuration. Domain configs as
>> >> > follows:
>> >> >
>> >> > Domain A:
>> >> > 3 DCs all Global Catalogs
>> >> > W2K SP4 Native mode
>> >> > IP Range 10.x.x.x
>> >> >
>> >> > Domain B:
>> >> > 1 DC
>> >> > W2K SP4 Mixed mode
>> >> > IP Range 172.x.x.x
>> >> >
>> >> > Firewall is using NAT to translate 10.x.x.x to 172.x.x.x address.
>> > Current
>> >> > policy in firewall allows all traffic from either side to pass.
>> >> >
>> >> > I have set the following in LMHOSTS all 3 DCs in Domain A.
>> >> >
>> >> > 172.x.x.x remotedomainDC#PRE #DOM:remotedomain.com
>> >> > 172.x.x.x remotedomain.com
>> >> >
>> >> > I can ping the domain and use net send /d:remotedomain "Message"
>> >> > both
>> >> > complete successfully.
>> >> >
>> >> > When I try and create the trust I get the following error:
>> >> >
>> >> > "The remotedomain.com cannot be contacted.
>> >> > If this domain is a windows domain, the trust cannot be set up until
>> >> > the
>> >> > domain is contacted. Click Cancel and try again later."
>> >> >
>> >> > When I try NBTSTAT -a remotedomain returns host can not be found. If
>> >> > I
>> > try
>> >> > NBTSTAT -a 172.x.x.x is works.
>> >> >
>> >> > Please help!
>> >> >
>> >> > Thanks
>> >> > DevGD
>> >> >
>> >> >
>> >>
>> >>
>> >
>> >
>>
>>
>>
Anonymous
March 11, 2005 10:07:03 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Thanks again for the help. I already have the secondary DNS zones in each of
the domains. I am going to call the Firewall vendor to check on Netbois NAT.
I have all ports open both ways.

Thanks
Dev

"Steven L Umbach" wrote:

> The only way I know of to verify a problem or not would be to capture
> traffic on each end of the connection with something like netmon to analyze
> packet traffic. Beyond issues with NAT, RPC dynamic port assignment firewall
> rules and name resolution are the biggest problems. Making wins servers in
> each domain replication partners with each other and verifying that all
> domain controllers are also wins clients usually works well for netbios and
> for dns you can make the dns servers in each domain contain secondary dns
> zones for the other domain. Also make sure that the domain controllers do
> not have the security option for additional restrictions for anonymous
> connections be configured to be no access without explicit anonymous
> permissions as shown as the effective setting in Local Security Policy. You
> might want to also post in the win2000.active_directory newsgroup. --- Steve
>
>
> "DevGD" <DevGD@discussions.microsoft.com> wrote in message
> news:59AA2872-9F9F-4E20-A8EC-70B906537F4B@microsoft.com...
> > Thanks for the help. I have actually read both articles. I believe NAT is
> > my
> > issue, I just and trying to find out how the solve the problem. I have
> > sent
> > the following command to the other domain with success.
> >
> > NET SEND /d:<Domain> "Message"
> >
> > Is there any utilities or tests that I can run to verify that NAT is my
> > issue?
> >
> > Any other help would be greatly appreciated.
> >
> > Thanks
> > Dev
> >
> > "Steven L Umbach" wrote:
> >
> >> Good point Roger. That point escaped me. NAT could very well be the
> >> problem
> >> and the user should refer to the KB below on problems with NAT and
> >> netlogon
> >> traffic. Thanks. --- Steve
> >>
> >> http://support.microsoft.com/kb/172227
> >>
> >> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> >> news:uGw7PeUIFHA.580@TK2MSFTNGP15.phx.gbl...
> >> > He mentioned NAT. Is this supported yet ?
> >> >
> >> > --
> >> > Roger Abell
> >> > Microsoft MVP (Windows Security)
> >> > MCSE (W2k3,W2k,Nt4) MCDBA
> >> > "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
> >> > news:eQPk93PIFHA.2640@TK2MSFTNGP09.phx.gbl...
> >> >> See the link below for how to configure a firewall for trusts. You
> >> >> should
> >> >> not need to use all those ports for a trust depending on your
> >> > configuration.
> >> >> Your firewall logs are the best place to look and see what traffic is
> >> > being
> >> >> blocked between the two domains when you try to enable the trust. RPC
> >> > will
> >> >> be tricky because of the way RPC assigns dynamic ports as described in
> >> >> the
> >> >> KB article though you can restrict it with a registry entry. This
> >> >> type
> >> >> of
> >> >> trust will not use kerberos. --- Steve
> >> >>
> >> >> http://support.microsoft.com/default.aspx?scid=kb%3Ben-...
> >> >>
> >> >> "DevGD" <DevGD@discussions.microsoft.com> wrote in message
> >> >> news:D 84C82D4-87BF-4FCF-8377-90D1760359F8@microsoft.com...
> >> >> >I am trying to set up a trust relationship between two different
> >> >> >domains,
> >> >> >one
> >> >> > mixed mode and one native mode, in different forests. The domains
> >> >> > have
> >> >> > a
> >> >> > firewall between them in a DMZ configuration. Domain configs as
> >> >> > follows:
> >> >> >
> >> >> > Domain A:
> >> >> > 3 DCs all Global Catalogs
> >> >> > W2K SP4 Native mode
> >> >> > IP Range 10.x.x.x
> >> >> >
> >> >> > Domain B:
> >> >> > 1 DC
> >> >> > W2K SP4 Mixed mode
> >> >> > IP Range 172.x.x.x
> >> >> >
> >> >> > Firewall is using NAT to translate 10.x.x.x to 172.x.x.x address.
> >> > Current
> >> >> > policy in firewall allows all traffic from either side to pass.
> >> >> >
> >> >> > I have set the following in LMHOSTS all 3 DCs in Domain A.
> >> >> >
> >> >> > 172.x.x.x remotedomainDC#PRE #DOM:remotedomain.com
> >> >> > 172.x.x.x remotedomain.com
> >> >> >
> >> >> > I can ping the domain and use net send /d:remotedomain "Message"
> >> >> > both
> >> >> > complete successfully.
> >> >> >
> >> >> > When I try and create the trust I get the following error:
> >> >> >
> >> >> > "The remotedomain.com cannot be contacted.
> >> >> > If this domain is a windows domain, the trust cannot be set up until
> >> >> > the
> >> >> > domain is contacted. Click Cancel and try again later."
> >> >> >
> >> >> > When I try NBTSTAT -a remotedomain returns host can not be found. If
> >> >> > I
> >> > try
> >> >> > NBTSTAT -a 172.x.x.x is works.
> >> >> >
> >> >> > Please help!
> >> >> >
> >> >> > Thanks
> >> >> > DevGD
> >> >> >
> >> >> >
> >> >>
> >> >>
> >> >
> >> >
> >>
> >>
> >>
>
>
>
!