Archived from groups: microsoft.public.win2000.security (
More info?)
Thanks again for the help. I already have the secondary DNS zones in each of
the domains. I am going to call the Firewall vendor to check on Netbois NAT.
I have all ports open both ways.
Thanks
Dev
"Steven L Umbach" wrote:
> The only way I know of to verify a problem or not would be to capture
> traffic on each end of the connection with something like netmon to analyze
> packet traffic. Beyond issues with NAT, RPC dynamic port assignment firewall
> rules and name resolution are the biggest problems. Making wins servers in
> each domain replication partners with each other and verifying that all
> domain controllers are also wins clients usually works well for netbios and
> for dns you can make the dns servers in each domain contain secondary dns
> zones for the other domain. Also make sure that the domain controllers do
> not have the security option for additional restrictions for anonymous
> connections be configured to be no access without explicit anonymous
> permissions as shown as the effective setting in Local Security Policy. You
> might want to also post in the win2000.active_directory newsgroup. --- Steve
>
>
> "DevGD" <DevGD@discussions.microsoft.com> wrote in message
> news:59AA2872-9F9F-4E20-A8EC-70B906537F4B@microsoft.com...
> > Thanks for the help. I have actually read both articles. I believe NAT is
> > my
> > issue, I just and trying to find out how the solve the problem. I have
> > sent
> > the following command to the other domain with success.
> >
> > NET SEND /d:<Domain> "Message"
> >
> > Is there any utilities or tests that I can run to verify that NAT is my
> > issue?
> >
> > Any other help would be greatly appreciated.
> >
> > Thanks
> > Dev
> >
> > "Steven L Umbach" wrote:
> >
> >> Good point Roger. That point escaped me. NAT could very well be the
> >> problem
> >> and the user should refer to the KB below on problems with NAT and
> >> netlogon
> >> traffic. Thanks. --- Steve
> >>
> >>
http://support.microsoft.com/kb/172227
> >>
> >> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> >> news:uGw7PeUIFHA.580@TK2MSFTNGP15.phx.gbl...
> >> > He mentioned NAT. Is this supported yet ?
> >> >
> >> > --
> >> > Roger Abell
> >> > Microsoft MVP (Windows Security)
> >> > MCSE (W2k3,W2k,Nt4) MCDBA
> >> > "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
> >> > news:eQPk93PIFHA.2640@TK2MSFTNGP09.phx.gbl...
> >> >> See the link below for how to configure a firewall for trusts. You
> >> >> should
> >> >> not need to use all those ports for a trust depending on your
> >> > configuration.
> >> >> Your firewall logs are the best place to look and see what traffic is
> >> > being
> >> >> blocked between the two domains when you try to enable the trust. RPC
> >> > will
> >> >> be tricky because of the way RPC assigns dynamic ports as described in
> >> >> the
> >> >> KB article though you can restrict it with a registry entry. This
> >> >> type
> >> >> of
> >> >> trust will not use kerberos. --- Steve
> >> >>
> >> >>
http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B179442
> >> >>
> >> >> "DevGD" <DevGD@discussions.microsoft.com> wrote in message
> >> >> news
84C82D4-87BF-4FCF-8377-90D1760359F8@microsoft.com...
> >> >> >I am trying to set up a trust relationship between two different
> >> >> >domains,
> >> >> >one
> >> >> > mixed mode and one native mode, in different forests. The domains
> >> >> > have
> >> >> > a
> >> >> > firewall between them in a DMZ configuration. Domain configs as
> >> >> > follows:
> >> >> >
> >> >> > Domain A:
> >> >> > 3 DCs all Global Catalogs
> >> >> > W2K SP4 Native mode
> >> >> > IP Range 10.x.x.x
> >> >> >
> >> >> > Domain B:
> >> >> > 1 DC
> >> >> > W2K SP4 Mixed mode
> >> >> > IP Range 172.x.x.x
> >> >> >
> >> >> > Firewall is using NAT to translate 10.x.x.x to 172.x.x.x address.
> >> > Current
> >> >> > policy in firewall allows all traffic from either side to pass.
> >> >> >
> >> >> > I have set the following in LMHOSTS all 3 DCs in Domain A.
> >> >> >
> >> >> > 172.x.x.x remotedomainDC#PRE #DOM:remotedomain.com
> >> >> > 172.x.x.x remotedomain.com
> >> >> >
> >> >> > I can ping the domain and use net send /d:remotedomain "Message"
> >> >> > both
> >> >> > complete successfully.
> >> >> >
> >> >> > When I try and create the trust I get the following error:
> >> >> >
> >> >> > "The remotedomain.com cannot be contacted.
> >> >> > If this domain is a windows domain, the trust cannot be set up until
> >> >> > the
> >> >> > domain is contacted. Click Cancel and try again later."
> >> >> >
> >> >> > When I try NBTSTAT -a remotedomain returns host can not be found. If
> >> >> > I
> >> > try
> >> >> > NBTSTAT -a 172.x.x.x is works.
> >> >> >
> >> >> > Please help!
> >> >> >
> >> >> > Thanks
> >> >> > DevGD
> >> >> >
> >> >> >
> >> >>
> >> >>
> >> >
> >> >
> >>
> >>
> >>
>
>
>