Announcement

Collapse
No announcement yet.

Domain Trust over IPSEC

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Domain Trust over IPSEC

    I have two win2k3 domains and have created an IPSEC tunnel between the PDC emulators on both domains. The domains/DC's are seperated by a Firewall which I have opened the appropriate ports on and have tested the IPSEC tunnel successfully.
    I have added Host file entries both DC's for the other domain.
    I want to create a one way trust between the domains but its not happening.
    Have tried from both ends.

    Thanks

  • #2
    Re: Domain Trust over IPSEC

    > I have added Host file entries both DC's for the other domain.

    Easy to make a mistake with that. Why not full DNS connectivity, for instance using a conditional forwarder?

    Also, just PDCe connectivity is not good enough. Each DC expects to be able to set up a secure channel.

    Comment


    • #3
      Re: Domain Trust over IPSEC

      Thanks for the DNS advice. Are you able provide a brief explanation why all DC's will expect to be able to set up a secure channel? any help is much appreciated.
      Thanks

      Comment


      • #4
        Re: Domain Trust over IPSEC

        > Are you able provide a brief explanation why all DC's will expect to be able to set up a secure channel

        Sure. All authentication requests go to a DC. So, you go to a workstation of domain A, but want to log on to domain B as Joe (B\Joe). The workstation asks a DC of domain A, do you know B\Joe? No, it doesn't, but it has a trust that tells him where domain B lives. Then, it sets up a secure channel to the appropriate DC of domain B that will tell him all about B\Joe.

        There is no need to go to the PDCe of domain A first, that would just be overhead. Worse, on boot each DC will try to verify every trust...

        Comment

        Working...
        X