External Trusts between W2K DCs in Different Forests CONTINUED...

[Guest]

I am trying to set up a trust relationship between two different domains, one
mixed mode and one native mode, in different forests. The domains have a
firewall between them in a DMZ configuration. Domain configs as follows:

Domain A:
3 DCs all Global Catalogs
W2K SP4 Native mode
IP Range 10.x.x.x

Domain B:
1 DC
W2K SP4 Mixed mode
IP Range 172.x.x.x

Firewall is using NAT to translate 10.x.x.x to 172.x.x.x address. Current
policy in firewall allows all traffic from either side to pass.

I have set the following in LMHOSTS all 3 DCs in Domain A.

172.x.x.x remotedomainDC#PRE #DOM:remotedomain.com
172.x.x.x remotedomain.com

I can ping the domain and use net send /d:remotedomain "Message" both
complete successfully.

When I try and create the trust I get the following error:

"The remotedomain.com cannot be contacted.
If this domain is a windows domain, the trust cannot be set up until the
domain is contacted. Click Cancel and try again later."

When I try NBTSTAT -a remotedomain returns host can not be found. If I try
NBTSTAT -a 172.x.x.x is works.

Please help!

Thanks
DevGD

 

[Steven L Umbach]

See the link below for how to configure a firewall for trusts. You should
not need to use all those ports for a trust depending on your configuration.
Your firewall logs are the best place to look and see what traffic is being
blocked between the two domains when you try to enable the trust. RPC will
be tricky because of the way RPC assigns dynamic ports as described in the
KB article though you can restrict it with a registry entry. This type of
trust will not use kerberos. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;179442

 

[Roger Abell]

He mentioned NAT. Is this supported yet ?

 

[Steven L Umbach]

Good point Roger. That point escaped me. NAT could very well be the problem
and the user should refer to the KB below on problems with NAT and netlogon
traffic. Thanks. --- Steve

http://support.microsoft.com/kb/172227

 

[Guest]

Thanks for the help. I have actually read both articles. I believe NAT is my
issue, I just and trying to find out how the solve the problem. I have sent
the following command to the other domain with success.

NET SEND /d:<Domain> "Message"

Is there any utilities or tests that I can run to verify that NAT is my issue?

Any other help would be greatly appreciated.

Thanks
Dev

 

[Steven L Umbach]

The only way I know of to verify a problem or not would be to capture
traffic on each end of the connection with something like netmon to analyze
packet traffic. Beyond issues with NAT, RPC dynamic port assignment firewall
rules and name resolution are the biggest problems. Making wins servers in
each domain replication partners with each other and verifying that all
domain controllers are also wins clients usually works well for netbios and
for dns you can make the dns servers in each domain contain secondary dns
zones for the other domain. Also make sure that the domain controllers do
not have the security option for additional restrictions for anonymous
connections be configured to be no access without explicit anonymous
permissions as shown as the effective setting in Local Security Policy. You
might want to also post in the win2000.active_directory newsgroup. --- Steve

 

[Guest]

Thanks again for the help. I already have the secondary DNS zones in each of
the domains. I am going to call the Firewall vendor to check on Netbois NAT.
I have all ports open both ways.

Thanks
Dev