View Full Version : NAT with MS AD trust in corporate network

2006-12-29, 11:01
We do have a problem with one direction of 2-way trust between NT 4 local domain and Active Directory corporate domain. A 2-way trust has been set up succesfull. I think the problem might has something to do with our firewall and the fact that we NAT our internal secure NT4 pdc address.

Our firewall CP NG AI R55 serves 3 zones. Unsecure (the corporate Active Directory network), DMZ (our public zone where an AD DC with PDC emulator function for our location is residing and the secure zone (where the PDC from our NT4 domain is residing). The secure zone addresses are not routable to the corporate network (unsecure), but are on our dmz.

When browsing from NT4 PDC to AD it works fine.
When browsing from AD domain to our NT4 domain access is denied (RPC server is unavailable). I have the feeling that NAT is part of the problem.

First tried using static nat on NT4 pdc:
NT4 pdc secure -> any (dmz or unsecure) xlates NT4 pdc dmz address -> any
which created the 2 automatic rules for translating network traffic.

Changed this to static nat rules manual.
unsecure -> NT4 pdc dmz xlates unsecure -> NT4 pdc secure
NT4 pdc secure -> unsecure xlates NT4 dmz adres -> unsecure

I suspect the AD DC in the dmz might not know the NT4 pdc server by it's NAT address because that address is not a real server, but netdom query and ping from this AD DC towards our NT4 domain does give the proper result (I think the firewall proxies as being the server in dmz on requests from dmz machines?). Connecting (user manager) however gives access denied.

Any help would be appreciated.

2007-01-14, 03:27
What services/ports are allowed for such connection?
There are some "Special Services" for AD & Exchange. Please check out the MS-RPC Service. Use these services instead of allowing the ports.