none
Establishing a Trust RRS feed

  • Question

  • Some background...

    I am a Microsoft Architect that was very recently brought on a regional MSP.  Although I have over a decade in Active Directory admin and design, this is my first foray into the MSP world so apologies if I initially do not make sense.

    My first project is to figure out a resolution to an issue that the company has recently come across.  Here you'll find a Visual Reference to the text below.

    Using the visual as a reference, our dilemma is this: How do we create a trust between the MSP domain and Customer B WHEN either of the following is true:

    1 - Customer B controlled site is using same IP address space as the MSP domain.

    OR

    2 - Customer B controlled site is using same IP address space as Customer A.

    This creates a routing problem. Assuming the MSP manages domain controllers for the customer at the MSP site, we can solve this problem if the Customer is willing to temporarily move the PDC role to the managed DC. However, when the customer is NOT willing to move the role, we cannot route back to the customer controlled site to establish the trust.

    We have developed a work-around by creating a direct SSL VPN from the customer PDC to our management PDC that allows us to do the necessary but it requires the customer to be willing to work with us and screen share on their PDC. Hokey I know but it works. 

    We are looking for a more permanent solution. I find it hard to believe we are the only ones that have come across this problem. Thank you in advance for any insight you may have. Again, please remember, I did not design the network nor control the customer setup process. I'm just an architect given this problem to rectify.

    Monday, May 20, 2013 3:56 PM

Answers

  • You could consider setting up a NAT solution, but this isn't supported by Microsoft.  I have NAT domains setup and runinng w/o incident and believe that you could configure your setup to do this.  You will just need to ensure that your DNS on each side points to the NAT's definition for the DC's not the actual DC's ip address.  So that would require you to copy the dns of the trusted domain and import it as a secondary of the trusting domain and then change the ip address of the trusting domain to the NAT'd address.  This will have to be setup on one or both sides, depending on if you NAT both of one of the sides.

    --
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    Twitter @pbbergs
    http://blogs.dirteam.com/blogs/paulbergson

    Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.

    Tuesday, May 28, 2013 11:57 AM
    Moderator

All replies

  • Hi,

    Thanks for posting in Microsoft TechNet forums.

    I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.

    Thank you for your understanding and support.

    If you have any feedback on our support, please click here

    Regards.


    Vivian Wang
    TechNet Community Support

    Tuesday, May 21, 2013 9:17 AM
    Moderator
  • To establish trust, PDCs in two domains must be reachable each other. It appears this is a network issue, you may try to open up a thread in network community.

    Regards,

    Diana


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Thursday, May 23, 2013 10:46 AM
  • Un-marked as an answer as I don't feel that it is but I will post in the Platform Networking forum nonetheless.
    Tuesday, May 28, 2013 11:08 AM
  • You could consider setting up a NAT solution, but this isn't supported by Microsoft.  I have NAT domains setup and runinng w/o incident and believe that you could configure your setup to do this.  You will just need to ensure that your DNS on each side points to the NAT's definition for the DC's not the actual DC's ip address.  So that would require you to copy the dns of the trusted domain and import it as a secondary of the trusting domain and then change the ip address of the trusting domain to the NAT'd address.  This will have to be setup on one or both sides, depending on if you NAT both of one of the sides.

    --
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    Twitter @pbbergs
    http://blogs.dirteam.com/blogs/paulbergson

    Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.

    Tuesday, May 28, 2013 11:57 AM
    Moderator
  • In addition, DCs and Network Address Translation

    Regards
    Biswajit Biswas
    My Blogs|TechnetWiki Ninja


    Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin

    Tuesday, May 28, 2013 1:15 PM