none
Establishing a Trust RRS feed

  • Question

  • I originally posted this question in the directory services section but was asked to post here as it was deemed network related so here it is...

    Some background...

    I am a Microsoft Architect that was very recently brought on a regional MSP.  Although I have over a decade in Active Directory admin and design, this is my first foray into the MSP world so apologies if I initially do not make sense.

    My first project is to figure out a resolution to an issue that the company has recently come across.  Here you'll find a Visual Reference to the text below.

    Using the visual as a reference, our dilemma is this: How do we create a trust between the MSP domain and Customer B WHEN either of the following is true:

    1 - Customer B controlled site is using same IP address space as the MSP domain.

    OR

    2 - Customer B controlled site is using same IP address space as Customer A.

    This creates a routing problem. Assuming the MSP manages domain controllers for the customer at the MSP site, we can solve this problem if the Customer is willing to temporarily move the PDC role to the managed DC. However, when the customer is NOT willing to move the role, we cannot route back to the customer controlled site to establish the trust.

    We have developed a work-around by creating a direct SSL VPN from the customer PDC to our management PDC that allows us to do the necessary but it requires the customer to be willing to work with us and screen share on their PDC. Hokey I know but it works. 

    We are looking for a more permanent solution. I find it hard to believe we are the only ones that have come across this problem. Thank you in advance for any insight you may have. Again, please remember, I did not design the network nor control the customer setup process. I'm just an architect given this problem to rectify.


    Tuesday, May 28, 2013 11:11 AM

Answers

  • You will need to double NAT then. That was my plan B to tell you.

    -- > In your MSP domain main router don't make both routing rule for the same LAN. Just make static rule on your DC to contact your other DC. Like 192.168.1.11 255.255.255.255 ip_of_other_site_router_A and like 192.168.1.12 255.255.255.255 ip_of_other_site_router_B. (The double NAT come there, as a tunnel know each side completly, so each router that will double NAT will come in between of your main router and your custumer router)

    The replication might work, but nothing else easilly, as your computer in yoru MSP LAN will have to have static rules.

    But yes I seen your question correctly, but on my side I'am used to crooslink nothing. If in your domain you go infected by a virus, are you liable of that if it propagate in your client LAN ? and if a customer B got to follow SOX404, does linking to your AD will make you have to follow SOX404 ?

    Thats why I was asking why at first :-)


    MCP | MCTS 70-236: Exchange Server 2007, Configuring
    Microsoft Translator Widget - French moderator (Technet Wiki)

    Twitter - @yagmoth555 ()
    Blog: http://www.jabea.net | http://blogs.technet.com/b/wikininjas/


    Wednesday, May 29, 2013 5:37 PM

All replies

  • Hi,

    Ok, my first idea is why the MSP domain got a thrust to your domain you manage ? If you manage a lot of customer you just can't do it. 192.168.x.x is soo used, you will find yourselft in dilema like today.

    In my book, all customer I manage are totaly separate. If you do 2 thrust, then on paper your bring those 2 domain together somehow. Maybe not technicaly, but a customer will see it that way.

    So the basic idea that does not work in the plan is the fact that the MSP domain can talk to both domain.

    I usually remote to a VM isolated in the customer site to start to manage the customer.  

    So the question I'am asking is the why. I often see computer in a workgroup that do the remote, so my internal domain is completly cut off my customer domain and my domain can't polute my customer domain in any way.


    MCP | MCTS 70-236: Exchange Server 2007, Configuring
    Microsoft Translator Widget - French moderator (Technet Wiki)

    Twitter - @yagmoth555 ()
    Blog: http://www.jabea.net | http://blogs.technet.com/b/wikininjas/

    Wednesday, May 29, 2013 3:28 AM
  • I think you are miss-reading.  I am the MSP providing services to our clients.  We have a management domain and setup 1-way trusts with all our customers so that our 100+ technicians don't have to try and keep track of a separate login for each client.  We've been fine for years and only have run into this scenario twice, just so happens that both have been in the past year.  Due to expansion, mgmt feels this needs attention to avoid having to do our band-aid trick.
    Wednesday, May 29, 2013 12:08 PM
  • You will need to double NAT then. That was my plan B to tell you.

    -- > In your MSP domain main router don't make both routing rule for the same LAN. Just make static rule on your DC to contact your other DC. Like 192.168.1.11 255.255.255.255 ip_of_other_site_router_A and like 192.168.1.12 255.255.255.255 ip_of_other_site_router_B. (The double NAT come there, as a tunnel know each side completly, so each router that will double NAT will come in between of your main router and your custumer router)

    The replication might work, but nothing else easilly, as your computer in yoru MSP LAN will have to have static rules.

    But yes I seen your question correctly, but on my side I'am used to crooslink nothing. If in your domain you go infected by a virus, are you liable of that if it propagate in your client LAN ? and if a customer B got to follow SOX404, does linking to your AD will make you have to follow SOX404 ?

    Thats why I was asking why at first :-)


    MCP | MCTS 70-236: Exchange Server 2007, Configuring
    Microsoft Translator Widget - French moderator (Technet Wiki)

    Twitter - @yagmoth555 ()
    Blog: http://www.jabea.net | http://blogs.technet.com/b/wikininjas/


    Wednesday, May 29, 2013 5:37 PM
  • Hi BlitzSonik,


    I would like to check if you need further assistance.


    Thanks.


    Jeremy Wu
    TechNet Community Support

    Monday, June 3, 2013 5:48 AM
    Moderator
  • Still testing in lab.  I suppose this can be closed as I am not really getting the kind of discussions I expected.
    Monday, June 10, 2013 11:52 AM