Re: Trusts between W2k domains in different forests
From: Dave Shaw [Microsoft MVP] (dhshaw@gNeOnSePsAiMs-ii.com)
Date: 09/28/02
- Next message: Stefan: "Re: Limiting the amount of files that a user can deposit into a directory."
- Previous message: Rob: "unique usernames"
- In reply to:(deleted message) Matthew Melbourne: "Trusts between W2k domains in different forests"
- Next in thread: Matthew Melbourne: "Re: Trusts between W2k domains in different forests"
- Reply:(deleted message) Matthew Melbourne: "Re: Trusts between W2k domains in different forests"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Dave Shaw [Microsoft MVP]" <dhshaw@gNeOnSePsAiMs-ii.com> Date: Sat, 28 Sep 2002 15:11:44 -0400
inline -
"Matthew Melbourne" <matt@melbourne.org.uk> wrote in message
news:4b7d22c689matt@melbourne.org.uk...
> We are investigating setting up trusts between our corporate W2k domain
> and a W2k domain managed by a third party. For a variety of reasons, these
> Windows 2000 domains are in different forests (and have different AD
> schemas).
>
> We wish to grant access to resources in the Corporate Domain (Domain A),
> particularly web-based resources which are heavily integrated into the
> NTLM authentication model, to users in the third party domain (Domain B).
Certificates. Have you decided upon a PKI model?
> Since the domains are in different forests, an automatic transitive trust
> will not exist, and manual trusts will need to be created, in a similar
> manner to NT 4 trusts, i.e. Domain A trusts Domain B, for Domain B users
> to be granted access to resources in Domain A. In addition Domain A will
> need to locate Domain B's DCs through DNS (but this is a secondary issue).
Actually, only the PDC FSMO role holders need to *find* each other. They
are the machines that will make the trusts for the domain. To do this, they
need to each be able to locate and determine the ip address of the computers
in each domain holding the <1Bh> service (Domain Master Browser). These are
the PDC emulators. To do this, you will need to ensure NetBIOS Name
resolution of each machine to each machine.
> To complicated this further, a firewall exists between the two networks,
> so network traffic associated with W2k trusts will need to be permitted
> through the firewall. Domain A is a Windows 2000 native domain consisting
> of a number of domain controllers and Domain B will likely have a number
> of domain controllers too. When a one-way trust is created so that Domain
> A trusts Domain B, which domain controllers actually exchange traffic?
> Could it be any of the DCs, or just the DC on which the trust was created,
> as this will dictate the firewall rules.
Create a tunnel between the two firewalls.
-ds
- Next message: Stefan: "Re: Limiting the amount of files that a user can deposit into a directory."
- Previous message: Rob: "unique usernames"
- In reply to:(deleted message) Matthew Melbourne: "Trusts between W2k domains in different forests"
- Next in thread: Matthew Melbourne: "Re: Trusts between W2k domains in different forests"
- Reply:(deleted message) Matthew Melbourne: "Re: Trusts between W2k domains in different forests"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
