Forest / Domain Trust across firewall
Good evening,
we have the following situation:
Forest-A (Domain-A): centralized application for mail archiving, IP range 172.18.20.xxx
Forest-C1 (Domain-C1): Customer 1, IP Range 192.168.1.xxx, PDC 192.168.1.1
Forest-C2 (Domain-C2): Customer 2, IP Range 192.168.1.xxx, PDC 192.168.1.1
Forest-C3 (Domain-C3): Customer 3, IP Range 10.103.3.xxx
For the application in Forest-A (Domain-A) to be working, we need to have a 2-way-trust to each of the customer domains. But the problem is, that the customer subnets do not necessary have different IP ranges, like mentioned above. Therefore I cannot use
VPN connections for this. I could go with static routing, but then I still have the problem, that I have to contact different DCs, which have the same IP.
As NAT is also not an option (not supported, I know), does anyone have any idea how to work around this situation?
Thank you very much!!
Sebastian
With IPv4, as long as NAT is not an option and clients cannot change their IP ranges then I would not see an option, Static routing won't fix the problem too as it will just create others since the same subnets are used in two different locations.
IPv6 is an option in case your clients can go with it.
This posting is provided AS IS with no warranties or guarantees , and confers no rights.
Ahmed MALEK
My Website Link
My Linkedin Profile
My MVP Profile
Similar Messages
-
Domain trust parameters meaning
Hi all,
can you help me understand what's the meaning of these parameters returned after querying a DC for trust relationships?
DOMAIN_NAME={domain.netbios.name=NETBIOS_NAME,
domain.flags=0x00000022, domain.trust.attributes=0x00000008, domain.dns.name=DNS_NAME,
domain.trust.type=2, objectGUID=0etc, objectSid=Setc}
Specifically I'm interested in these parameters:
domain.flags
domain.trust.attributes
domain.trust.type
What do they represent and what are the possible values?
Thanks in advance
Have a nice dayI believe the answer is: https://msdn.microsoft.com/en-us/library/cc237110.aspx
so in my case
domain.flags -> I don't understand this
domain.trust.attributes -> Domain is root of another forest
domain.trust.type -> Trust is with a Windows Active Directory-based Domain
Is this correct? -
Change domain trust for Forest trust
Hi
I have a forest A with 3 domains (1 (root),2,3) and i have a forest B with 2 domains (4 (root),5).
Presently, i have a domain trust between domain 2 and 5.
I need to change for a forest trust ? what is a best practice ?
1- Remove domain trust and create a forest trust?
2- Create a forest trust (waiting a few day) a remove a domain trust?
3- Create a forest trust and remove immediately a domain trust?
Do you have a link to explain that?
ThanksHi,
Which kind of domain trust have you created? Which kind of forest trust do you want to create?
A one-way forest trust allows all users in one forest to trust all domains in the other forest; a two-way forest trust forms a transitive trust relationship between
every domain in both forests.
Based on my understanding of forest trust, a forest trust is a transitive trust between a forest root domain and a second forest root domain. If you create a forest
trust between two root domains in forest A and forest B, it provides a one-way or two-way, transitive trust relationship between every domain in each forest.
In another word, all the domains in forest A and forest B would inherit the trust relationship from their root domains. Personally, you can just create a new forest trust and keep the existing domain trust.
In addition, please make sure that the forest function level is Windows Server 2003 or higher before you create a forest trust.
Best regards,
Susie -
What difference between a domain trust and a forest trust?
What difference between a domain trust and a forest trust?
Greetings!
The answer is right on the question! :)
I think it is best to distinguish properly between forest and domain. This article is a good one:
What Are Domains and Forests?
But in a nutshell, a forest trust is mostly used between two organizations, Suppose company A has a unique forest and company B has another unique forest as well, when they are merged they can simply create a forest trust between each other, This trust can
be one-way or two-way depending on your needs.
Domain trusts are between a single instance (domain) of a forest to another instance (domain) of another forest. It is worth mentioning that trust can be transitive as well.
What Are Domain and Forest Trusts?
I hope you got the answer.
Regards.
Mahdi Tehrani |
|
www.mahditehrani.ir
Please click on Propose As Answer or
to mark this post as
and helpful for other people.
This posting is provided AS-IS with no warranties, and confers no rights.
How to query members of 'Local Administrators' group in all computers? -
Forest Level Trust to limited number of DC's
I need to establish a 1-way forest level trust between 2 forests across firewalls. The source forest has a single domain with 13 domain controllers. Is it possible to limit the trust communication to only 2 domain controllers in the source
domain or do I need to open up the required ports from the target domain controllers to all the DC's in the source forest?Hi,
Based on my understanding of forest trust, if you create a one-way, forest trust between forest A (the trusted forest) and forest B (the trusting forest), members of forest A can access resources located in forest B, but members of forest B cannot access resources
located in forest A using the same trust. There is no limitation for the number of DCs.
In addition,for the ports used by trusts, you can refer to the link below:
How Domain and Forest Trusts Work
Best regards,
Susie -
Hello,
We have a 2-way domain trust between a Windows 2003 domain and a 2008 domain. Nearly all works, we can share folder permissions etc but what we can't do on their domain is add a PC on their network that is part of our domain.
The error is:
it can't find the SRV record for _ldap._tcp.dc._msdcs.ukdomain.local.
if they go to their DNS and look at the seconday forward lookup some for ukdomain.local it doesn't show a zone called _msdcs under ukdomain.local instead outside my zone we have a separete zone called _msdcs.gb.vo.local like this:
DC1
----->Forward Lookup Zones
-------->_Msdcs.ukdomain.local
-------->ukdomain.local
I though it should look like this:
DC1
----->Forward Lookup Zones
------->ukdomain.local
--------->_Msdcs
ThanksIf you are on their network can you ping their domain?
If not then you have a DNS, routing, or firewall issue.
Are ports being blocked? For DNS, add a conditional forwarder to point to DNS for the other Domain and do the same on the other side, this will work better in 2008 as it's replicated to the forest.
Testing
Domain Controller Connectivity Using PORTQRY
Protocol and Port
AD and AD DS Usage
Type of traffic
TCP and UDP 389
Directory, Replication, User and Computer Authentication, Group Policy, Trusts
LDAP
TCP 636
Directory, Replication, User and Computer Authentication, Group Policy, Trusts
LDAP SSL
TCP 3268
Directory, Replication, User and Computer Authentication, Group Policy, Trusts
LDAP GC
TCP 3269
Directory, Replication, User and Computer Authentication, Group Policy, Trusts
LDAP GC SSL
TCP and UDP 88
User and Computer Authentication, Forest Level Trusts
Kerberos
TCP and UDP 53
User and Computer Authentication, Name Resolution, Trusts
DNS
TCP and UDP 445
Replication, User and Computer Authentication, Group Policy, Trusts
SMB,CIFS,SMB2, DFSN, LSARPC, NbtSS, NetLogonR, SamR, SrvSvc
TCP 25
Replication
SMTP
TCP 135
Replication
RPC, EPM
TCP Dynamic
Replication, User and Computer Authentication, Group Policy, Trusts
RPC, DCOM, EPM, DRSUAPI, NetLogonR, SamR, FRS
TCP 5722
File Replication
RPC, DFSR (SYSVOL)
UDP 123
Windows Time, Trusts
Windows Time
TCP and UDP 464
Replication, User and Computer Authentication, Trusts
Kerberos change/set password
UDP Dynamic
Group Policy
DCOM, RPC, EPM
UDP 138
DFS, Group Policy
DFSN, NetLogon, NetBIOS Datagram Service
TCP 9389
AD DS Web Services
SOAP
UDP 67 and UDP 2535
DHCP
Note
DHCP is not a core AD DS service but it is often present in many AD DS deployments.
DHCP, MADCAP
UDP 137
User and Computer Authentication,
NetLogon, NetBIOS Name Resolution
TCP 139
User and Computer Authentication, Replication
DFSN, NetBIOS Session Service, NetLogon
If it answered your question, remember to “Mark as Answer”.
If you found this post helpful, please “Vote as Helpful”.
Postings are provided “AS IS” with no warranties, and confers no rights.
Active Directory: Ultimate Reading Collection
Active Directory Visio Stencils 2013 - Directory Services Visio Stencils
Kelly Bush
It appears that you've copied and posted the chart, with some editing,
from my blog, link posted below. No problem, as long as it helps the poster. :-)
Active Directory Firewall Ports – Let’s Try To Make This Simple
http://blogs.msmvps.com/acefekay/2011/11/01/active-directory-firewall-ports-let-s-try-to-make-this-simple/
Also, I would like to add, that for firewall checks, to make sure the ephemeral ports are opened. These are the important random response ports. The ports are dependent on the operating system version.
Here's the matrix:
Ephemeral Ports:
And most of all, the Ephemeral ports, or also known as the “service response ports,” that are required for communications. These ports are dynamically created for session responses for each client
that establishes a session, (no matter what the ‘client’ may be), and not only to Windows, but to Linux and Unix as well. See below in the references section to find out more on what ‘ephemeral’ means.are used only for that session. Once the session has dissolved,
the ports are put back into the pool for reuse. This applies not only to Windows, but to Linux and Unix as well. See below in the references section to find out more on what ‘ephemeral’ means.
TCP & UDP 1025-5000
Window 2003/XP and older
Ephemeral Dynamic Service Response Ports
TCP & UDP 49152-65535
Windows 2008/Vista and newer
Ephemeral Dynamic Service Response Ports
TCP Dynamic Ephemeral
Replication, User and Computer Authentication, Group Policy, Trusts
RPC, DCOM, EPM, DRSUAPI, NetLogonR, SamR, FRS
UDP Dynamic Ephermeral
Group Policy
DCOM, RPC, EPM
If the scenario is a Mixed-Mode NT4 & Active Directory scenario with NT4 BDCs, then the following must be opened:
TCP & UDP 1024 – 65535
NT4 BDC to Windows 2000 or newer Domain controller PDC-E communications
RPC, LSA RPC, LDAP, LDAP SSL, LDAP GC, LDAP GC SSL, DNS, Kerberos, SMB
Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
This posting is provided AS-IS with no warranties or guarantees and confers no rights. -
AD DS New Forest Domain Naming Problem
Hey everyone,
I'm having a bit of a conundrum about the new forest domain name and what possible implications it can have if I chose the wrong name convention...
Current Setup
The current issue is that the company I work for was bought out by another company and atm, where using a 2-way forest trust.
The company also has another site in Africa which is using a different forest domain but doesn't have any forest trust to either of the other 2 domains.
The current forest domains are:-
1. Company1.local (my old company)
2. Company2.com.au (main company)
3. internal.company2direct.com.ke (Africa site)
To make it worse, all three sites have their own Exchange environment and there's all types of file share/application authentication issues between sites.
Therefore, the company has decided that they want to get rid of all the exchange environments/file shares and so forth and move everything to
Office365, including SharePoint and Lync
New Solution
They have also decided that they want a new forest with a single domain and that the locations and security will be delegated by using different OU structures/GPO's as it's all going to administered by 2 people at the main company site. This is non-negotiable
as they don't want sub/child domains or different forests, just a single entity.
They're using a third party to do the Office365 design and implementation. However I have been assigned to setup the new initial ADDS server for the new forest.
After some reading I've found that we really shouldn't be using '.local' or '.internal' for the forest root domain. I suggested that we use 'internal.thecompanynamethatisreallylong.com.au' and a NetBIOS of 'CNF' (which is actually that long,
and I feel that if we have to use a FQDN for anything then it will cause an issue)
They want me use the following for the forest root domain ' au.cnf' with a NetBIOS of 'CNF'
Is that really such a good idea or is there any situation whereby using 'au.cnf' as the
prefix.suffix could cause any issues?
I would of like to use 'internal.cnf.com.au' however the domain name 'cnf.com.au' is already registered by another company..
Once the new forest is created, I'll create a 2way trust between the companies and start using ADMT to migrate accounts across
Thanks in advance for you helpHello,
for AD limits, especially amount of usable characters, please see
http://technet.microsoft.com/en-us/library/cc756101.aspx
Personally I would NOT use the "CNF" as NetBIOS domain name. "CNF" in AD stands for "Conflicting object" and this will be shown in dcdiag or repadmin outputs when conflicts are listed as doubled names for example.
For the internal naming I would always use short domain names. Top level domain names to avoid for WAAD and Office365 I would also check with the experts in http://social.msdn.microsoft.com/forums/azure/en-US/home?forum=WindowsAzureAD
and http://community.office365.com/en-us/f/default.aspx
You could use public TLDs but keep in mind that you have to configure split DNS that way.
Best regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://blogs.msmvps.com/MWeber
Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
Twitter: -
Domain Trust Relationships in Windows Small Business Server 2011
I have seen that SBS 2011 (and older SBS versions, apparently) do not 'support' Domain Trust relationships.
Before coming across this information, I have already successfully created a trust relationship between a newly created SBS 2011 domain and an existing 2008 Domain, and everything seems to be working fine - users from one domain are recognized on the other,
etc.
So I was wondering - is the 'not supported' more of a 'you're on your own if it breaks', is this a violation of the license, or is it some sort of freak occurrence and I am extremely lucky to have gotten this to work. This is actually my first time
setting up a trust relationship and the entire process took about 10 minutes, so it seemed extremely easy for something that I now find out is unsupported.
If it is a license violation, I'll remove the trust relationship immediately. This is not a permanent configuration, just testing our software on the SBS2011 platform and domain trusts were the most expedient way of adding the SBS Domain users to the
list of authorized users on our primary domain's SQL Server.
Thanks in advance.From here, it says that the trust relationship is not supported for SBS: http://technet.microsoft.com/en-us/library/cc672124%28v=ws.10%29.aspx
This means that this have not been tested by Microsoft and if you will have issues, you will not get supported from Microsoft.
I don't think that this is a violation of the license but it will be better to check with a Microsoft licensing expert in your country.
More if you ask them here: http://social.technet.microsoft.com/Forums/en-US/category/sbsserver
This
posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Microsoft
Student Partner 2010 / 2011
Microsoft
Certified Professional
Microsoft
Certified Systems Administrator: Security
Microsoft
Certified Systems Engineer: Security
Microsoft
Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
Microsoft
Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
Microsoft
Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
Microsoft
Certified Technology Specialist: Windows 7, Configuring
Microsoft
Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
Microsoft
Certified IT Professional: Enterprise Administrator
Microsoft Certified IT Professional: Server Administrator
Microsoft Certified Trainer -
Master data services 2012 domain trust issues
hi,
we have a Master Data Services 2012 installation within one domain and the users exist within another domain. This has a selective trust both ways.
the behaviour that we are seeing in MDS 2012 when adding users to the master data services from the other domain we are getting no exact match found for the users that exists when adding users in; these users are from the domain that MDS does not reside
in but there is a trust in place.
we have given authentication permissions to all users requiring access to the server that MDS resides on.
the question is what steps are necessary to allow MDS to operate in two domain environment. We have other applications that function in this manner but MDS is causing issues.
any help would be appreciated..
thanksI don't have the exact multi domains environment to try it on. But I tried on mutil forest domains. It seems working fine.
When add the user, the format is like [DomainName\]UserName
When add the user for another domain, the domain name is required.
There is a trust between our two domains (which works because I can log into SQL Server effortlessly with SSMS). However, when I try to add a user from the other domain, I get the error
"No exact match was found for domain\user"
It seems that MDS really doesn't like trusts.
MCSE SQL Server 2012 - Please mark posts as answered where appropriate. -
People Picker search order with multiple forest domains
I had customer with multiple forest domain environment. Now the problem is that all users from one domain synced to the resource domain(Domain A) where sharepoint is installed.
The peoplepicker is now finding at first the user in Domain A where sharepoint is installed. My Solution is now to specify the order of searching in People Picker that first all users in Domain B will return and if there is noting will return Domain A.
All SharePoint Server(s) had Network Access to the other Domains. And there are two-way-trust konfigured.
Any Solution for that?
Thanks for your feedback!
P.Regardless of search order, you would get both results returned. Have you tried using the UserAccountDirectoryPath property on the Site Collection to specify DC=domainB,DC=com?
Trevor Seward
Follow or contact me at...
This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.
Nice to now that i can set it up per site collection. But it do not work in my case, it indeed returned users from Domain B but Domain A, C, D and F(Examples) are excluded from People Picker. -
Kerberos Authentication Setup for MSCRM in cross forest oneway trust environment.
Dear All,
Kindly help related to implement Kerberos authentication on CRM application with multiple Forest environment. My environment details are as below:
Number of forests: 2
1. First is with name of domain1.local
2. Second is with name of domain2.local
Trust Level: One Way trust from domain1 and domain2.
CRM Farm Details:
1. 1 CRM(APP + WEB)Server (CRMAPP-01.domain1.local)
2. 1 SQL Server (CRMSQL-01.domain1.local)
3. 1 CRM SSRS Server (CRMSSRS-01.domain.local)
4. CRM site url: http://mscrminternal.domain.local/MSORG1
*I have successfuly configured Kerberos authentication and everything is working fine once try to access for Users of domain1.
But once I tried to access for users of domain2. I am getting following error.
HTTP Error 401 - Unathorized: Access denied.
*If i switch to NTLM, I can access CRM site for domain2 and domain1 users without any issue.
I read MS article, Kerberos delegation can be established if one way FOrest trust is present.
Please help me to understand if Kerberos is possible to setup cross forest oneway trust.
Regards
Gyan
GYAN SHUKLAHi Gyan,
I assume that you have solved this issue by synchronizing time between Domain Controllers, right?
Then your last reply should be marked as answer.
If this issue still persists, pelase feel free to let us know.
Best Regards,
Amy -
We have setup a One-Way domain trust between Domain A and Domain B. Users in Domain A can logo on to servers in Domain B. (B trust A). Relevant ports are open in the firewallbetween the domain controllers in A+B. It Works but are very slow. So I need to verify that my conclution is correct. What I think is going on, is that when a users from A is logging on to a server (let us call it B1)in B, thenB1 tries to contact a domain controller in A, using Kerberos. Since this is not allowed in the firewall, the server tries NTML as a fall back option, but here it is the B domain controllers that contact the A domain controllers and the user is authenticated. Because of the "Kerberos then NTML" problem, the logon is very slow. Now is my only option to open so that B1 can connect to domain controllers in Domain A? or is there another way to...
This topic first appeared in the Spiceworks CommunitySorry I don't follow your question? Can you expand on what you are after. When you say AD assessment for Domain Trust do you mean you need to validate and document an existing trust, or propose a solution for a new one? And what are you interested in with
sites.
Thanks
Regards,
Denis Cooper
MCITP EA - MCT
Help keep the forums tidy, if this has helped please mark it as an answer
Blog: http://www.windows-support.co.uk
Twitter: LinkedIn: -
Domain trust for external exchange domain
Ok so I have inherited two domains, one domain runs activedirectory services that all of the workstations are joined to (domainA), thesecond domain hosts exchange (domainB).After signing in on a computer in domainA we have to authenticateoutlook with domainB to get email.The end result, I would like is to be able to authenticatewith domainA for email but have it load the profile as if it was domainB. I cancreate a one way trust from domainB to domainA but Im not sure how to foolexchange into believing DomainA\user1 is DomainB\user1. I've messed around withAuthenticate as permissions on domainB but that doesnt seemto work correctly. I don’t want to messwith full access permissions on exchange as that would cause issues.I havent had any problems getting the trust functioning correctly, just the windows/exchange user side of things.Does...
This topic first appeared in the Spiceworks CommunityHi,
Which kind of domain trust have you created? Which kind of forest trust do you want to create?
A one-way forest trust allows all users in one forest to trust all domains in the other forest; a two-way forest trust forms a transitive trust relationship between
every domain in both forests.
Based on my understanding of forest trust, a forest trust is a transitive trust between a forest root domain and a second forest root domain. If you create a forest
trust between two root domains in forest A and forest B, it provides a one-way or two-way, transitive trust relationship between every domain in each forest.
In another word, all the domains in forest A and forest B would inherit the trust relationship from their root domains. Personally, you can just create a new forest trust and keep the existing domain trust.
In addition, please make sure that the forest function level is Windows Server 2003 or higher before you create a forest trust.
Best regards,
Susie -
Hello,
Can the SidHistory attribute be moved from one User account to a different User account in the same Forest/Domain manually with Active Directory Users and Computers or with something like Powershell? it would seem to me this is a safe operation.
Thanks for your help! SdeDotHi,
In addition, please also take a look at the below thread:
copy SIDHistory from one account to another in the same domain
http://social.technet.microsoft.com/Forums/en-US/2ca8727c-b3fd-4ef8-9747-99295f0cd61c/copy-sidhistory-from-one-account-to-another-in-the-same-domain?forum=winserverDS
Hope this helps
Best regards
Michael
If you have any feedback on our support, please click
here.
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. -
Setting up two way AD domain trust ?
Hi,
I'd like to know what are the steps that I need to take when setting up Active Directory domain trust between two or more different AD domain? and also the steps to undo the domain trust in case I need to prevent some issues.
Because I currently have about 15+ site offices that runs their own Active Directory domain to be joined with my current parent company AD domain.
Thanks
/* Server Support Specialist */Have you thought about using Azure Active Directory with users synchronization to consolidate all your office to one place?
Answering directly: There are different types of trusts. Think about setting 1-way trust (users from first domain can get access to the resources in second domain but not the other way round) or 2-way trust (users in both domains get access to resources
such as applications or sysytems in both domains). Please read https://technet.microsoft.com/en-us/library/cc730798.aspx
Setting up the trust is rather easy task (https://technet.microsoft.com/en-us/library/cc771580.aspx) and can be undone easily as well (https://technet.microsoft.com/en-us/library/cc771137.aspx)
Hope that helps!
Did my post help you or make you laugh? Don't forget to click the Helpful vote :) If I answered your question please mark my post as an Answer.
Maybe you are looking for
-
Can't Access Aperture Photos from Other Applications
I am using the trial version of Aperture. I can't access the photos in Aperture from Photoshop, Word or any other application (except Mail). I can see the icon for Aperture and the words "Aperture 3 Trial Library" but it is grayed out. Is there a set
-
Does the private browsing mode in FF3.6 use the cache from normal mode?
While I'm in PB mode, does FF3.6 use the data from '''normal''' mode cache? The purpose of asking this Q is: I'm a web developer. I want to visit a site freshly (without any data used from cache). But I don't want to clear all my cache/cookies etc fr
-
MacBook Pro early 2011 i7 shuts down when charging
Hi Everyone, These days I've been experiecing intermitent issues with my MBP due to a unexpected shut downs when the charger is plugged in. Any very subtle movement makes the computer shuts down and had to reboot it. It all started with the charger n
-
Convert multiple rows into a single row
Hi friends.. I have a table with the following information SQL> select * from tsting; A B C D E 10 10 10 29-MAY-09
-
Dear friends, I am trying to filter the CFL. But it does not show any data when use this snippet. If OCT_Company.Connected Then Dim oCon As SAPbouiCOM.Condition = Nothing Dim oRs As SAPbobsCOM.Recordset