Re: Trusts between W2k domains in different forests
From: Matthew Melbourne (matt@melbourne.org.uk)
Date: 09/28/02
- Next message: R.N. Folsom: "Security Tab Extra Marks Mystery"
- Previous message: Mark Tellier: "Certificate Authority problem with Win2k SP3"
- In reply to: Dave Shaw [Microsoft MVP]: "Re: Trusts between W2k domains in different forests"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Matthew Melbourne <matt@melbourne.org.uk> Date: Sat, 28 Sep 2002 21:31:26 GMT
In article <uqXBrKyZCHA.1496@tkmsftngp09>, Dave Shaw [Microsoft MVP]
<dhshaw@gNeOnSePsAiMs-ii.com> wrote:
>
> > We wish to grant access to resources in the Corporate Domain (Domain
> > A), particularly web-based resources which are heavily integrated into
> > the NTLM authentication model, to users in the third party domain
> > (Domain B).
>
> Certificates. Have you decided upon a PKI model?
No, not yet. Could you expand on this? I did wonder whether there was a
different way of solving this problem, without using NT/2000 trusts.
However, a requirement is to provide seamless access to resources in other
domains, without the need for an additional authentication.
> Actually, only the PDC FSMO role holders need to *find* each other.
> They are the machines that will make the trusts for the domain. To do
> this, they need to each be able to locate and determine the ip address
> of the computers in each domain holding the <1Bh> service (Domain Master
> Browser). These are the PDC emulators. To do this, you will need to
> ensure NetBIOS Name resolution of each machine to each machine.
So, only the FSMO role holders need to be defined in any firewall rulebase
which specifies "trust-related" traffic. Does that therefore mean that if
the PDC FSMO role holders become unavailable, then the trust is
effectively broken?
> > To complicated this further, a firewall exists between the two
> > networks, so network traffic associated with W2k trusts will need to
> > be permitted through the firewall. Domain A is a Windows 2000 native
> > domain consisting of a number of domain controllers and Domain B will
> > likely have a number of domain controllers too. When a one-way trust
> > is created so that Domain A trusts Domain B, which domain controllers
> > actually exchange traffic? Could it be any of the DCs, or just the DC
> > on which the trust was created, as this will dictate the firewall
> > rules.
> Create a tunnel between the two firewalls.
Setting up an IPSec tunnel between the firewalls may be an option, but we
would want to constrain traffic between the DCs to only that required to
maintain the trust, and from what I have read in various KB/TechNet
articles, setting up a trust through a firewall is non-trivial :)
Cheers,
Matt
-- Matthew Melbourne
- Next message: R.N. Folsom: "Security Tab Extra Marks Mystery"
- Previous message: Mark Tellier: "Certificate Authority problem with Win2k SP3"
- In reply to: Dave Shaw [Microsoft MVP]: "Re: Trusts between W2k domains in different forests"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
