Announcement

Collapse
No announcement yet.

Forest trust design with multiple network segments

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Forest trust design with multiple network segments

    We have three firewalled network segments A | B | C

    A = our existing internal forest
    B = a single DC added to our existing forest in A, to be stood up specifically to create this trust
    C = external forest

    (B is necessary as we are unable to make A directly routable to C and want to avoid NAT'ing. Long story.)

    We have opened all ports between the new DC in B, and the existing DCs in A. We will probably do the same for the new DC in B, and one or all DCs in C.

    Forest in AB is 2003, forest in C is 2008R2.

    Questions:

    1) The member servers and workstations in A cannot communicate with the DC in B. Should any additional config be done to account for this? Note that A is on a separate subnet than BC.

    2) The DC's in A cannot see the DC's in the external forest in C. Should any additional config be done to account for this?

    3) Does the DC in B need to hold any fsmo's?

    Thanks,
    Jaime
    Last edited by Strago; 22nd July 2013, 21:05.

  • #2
    Re: Forest trust design with multiple network segments

    1) What type of communication are you referring to?

    2) You stated that A and C won't be able to communicate. A sees B, B sees C, A and C do not communicate.

    3) I don't believe so.

    Comment


    • #3
      Re: Forest trust design with multiple network segments

      Hi Joe.

      1) By no communication I mean completely blocked by firewall.

      2) Another way to ask: Will the trust function correctly if only one DC on each side is routable?

      Comment

      Working...
      X