Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Trust relationships between subnets?

Status
Not open for further replies.

jocadmin

IS-IT--Management
Oct 4, 2005
82
US
Hello, I have one DC in a corporate office and four remote sites. The remote sites have independent internet but no DC and connect to my DC via a VPN connection. The VPN is established with a PIX 501 at each site and one PIX 515 in my office.

I run in to the problem of personnel turnover at a remote site and not being able to add that person to a workstation remotely without bringing the computer into my office and plugging straight into the domain.

Any ideas or recommendations would be appreciated. Thank you.
 
... not being able to add that person to a workstation remotely ..."

Add them to what remotely? Local groups? I'm having the same thoughts as JBorecky.



A+/MCP/MCSE/MCDBA
 
I understand any and all confusion, I'm experiencing it too. Keep in mind I inherited this and I'm just working with and trying to improve what I have.

The remote workstations were loaded inside the main domain x.x.95.x. Then deployed and subnetted, an example is x.x.90.x, the permissions to allow communications between appropriate IP addresses was input into the PIX and this virtual tunnel was formed. Through the tunnel they can access email from the server in the corporate office and a few remote desktop sessions for some picky software that doesn't like the direct connection.

Would this be considered "on the domain"? A lot of the remote operations are new to me but I feel I'm learning fast.

Forgive me for the dumbed down answers. Let me know if I can amplify any information.
 
Also, Seaspray0, when I say add them to the workstation I meant add them as a user on the workstation. The w/s are basially earmarked for one user at creation unless you add another user from the control panel inside the x.x.95.x domain here at the main office. It just can't be done when it's on one of the subnet IPs. I get a trust error.

I grew up on an NT domain with roaming profiles. I don't know why that was not implemented when this company switched to a 2003 SBS, it was waaaay before my time.

I doubt this network is setup to be optimal but to just work. It's rough but it's all a learning process.

I'm guessing there's not a lot of networks setup like this. Most would have a DC at each site.

Thanks again.
 
No, here's the deal basically. If the computer has to have a computer account to get a trust relationship. This is created when you join the computer to the domain.

This can be done in Control Panel->System Properties of the local box. You will find under the ComputerName tab at the bottom a option to join the computer to the domain. This will also tell you where it is located.

Also in properties make sure that under the remote tab the allow users to connect remotely to this computer is checked.

Last but not least also run the services.msc console and verify Terminal services are running on the local box. Of course check the local groups to make sure that you are an admin.

If the machine is not part of the domain. You will have to log on as COMPUTERNAME\UserAccount. But my suggestion to you is to join it to the domain. Then all you have to do is create a user account in AD. Then the user will be able to log onto the box and get a new profile. This may also one day save your job.
 
Oh by the way. netdom is a useful tool to use to add workstations to the domain remotely. netdom /? will give you the options. This is a command line utility.
 
No, here's the deal basically. If the computer has to have a computer account to get a trust relationship. This is created when you join the computer to the domain.

Right, I join the domain at the main office, while I'm in the main office plugged in to the .95 network. Then I deploy the machine to the .90 network and I can't add local users of any kind.

This can be done in Control Panel->System Properties of the local box. You will find under the ComputerName tab at the bottom a option to join the computer to the domain. This will also tell you where it is located.

I'm just checking, but does any of this matter when the local box is now on a different network? The DC is on the .95 network and the local box will now be on the .90 network.

If the machine is not part of the domain. You will have to log on as COMPUTERNAME\UserAccount. But my suggestion to you is to join it to the domain. Then all you have to do is create a user account in AD. Then the user will be able to log onto the box and get a new profile. This may also one day save your job.

I know the computers local logons if I loaded them. It is joined to a domain when loaded so I can load some network applications. A username is already created in AD. But when it's NOT inside the .95 network in the main office, I cannot add anyone even if they have an AD account in the .95 network. Are you saying once I get to the remote site I need to redo the wizard to add the computer to a network instead of just changing the IP addresses?

I'm so confused.
 
Are you blocking any ports? AD needs certain ports to communicate. including but not limited to LDAP and Kerberos.


If you are getting a trust error you may have to pull the machines back out into a workgroups and rejoin them to the domain. You can get this if the machines sit off for too long. Which may or may not be the case. The computer has to renew it's password every thirty days.

Yes you can still be joined to the domain on a different subnet. In NT4 all the domains were basically local. In AD it's treated as a collective. It doesn't start getting really hairy until you have DC's spread across multiple networks.

Have you tried remoting into the box while it is still attached to the .95 network?

The trust error is usually a sign that the account is invalid, and needs to be re-established.
 
Quick question, if the account was invalid would they be able to do anything on a server? The email from these machines are getting pulled just fine when they log in.

I'll sure check out the article though...thank you.
 
Yes they would. They would have to log on the first time. But if they are running XP or WIN2K, these operating systems will cache the credentials.
 
I'm revisiting this. I've read that no trusts can be established with a SBS. I failed to mention that was my authentication server in my previous posts, shame on me.

But I don't understand why a workstation would require a trust when it's got a VPN connection up and authenticated.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top